diff --git a/.claude/skills/atmos-aws-security b/.claude/skills/atmos-aws-security new file mode 120000 index 0000000000..a252bc3608 --- /dev/null +++ b/.claude/skills/atmos-aws-security @@ -0,0 +1 @@ +../../agent-skills/skills/atmos-aws-security \ No newline at end of file diff --git a/.golangci.yml b/.golangci.yml index 5c21be8c65..9a76f8b3dd 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -70,6 +70,7 @@ linters: - "!**/internal/aws_utils/**" - "!**/pkg/aws/identity/**" - "!**/pkg/aws/organization/**" + - "!**/pkg/aws/security/**" - "!**/pkg/provisioner/backend/**" - "!**/pkg/ci/github/**" - "!**/pkg/ci/planfile/github/**" diff --git a/NOTICE b/NOTICE index 6339277850..cd3496d377 100644 --- a/NOTICE +++ b/NOTICE @@ -39,15 +39,15 @@ APACHE 2.0 LICENSED DEPENDENCIES - cloud.google.com/go/iam License: Apache-2.0 - URL: https://github.com/googleapis/google-cloud-go/blob/iam/v1.6.0/iam/LICENSE + URL: https://github.com/googleapis/google-cloud-go/blob/iam/v1.7.0/iam/LICENSE - cloud.google.com/go/monitoring License: Apache-2.0 - URL: https://github.com/googleapis/google-cloud-go/blob/monitoring/v1.24.3/monitoring/LICENSE + URL: https://github.com/googleapis/google-cloud-go/blob/monitoring/v1.25.0/monitoring/LICENSE - cloud.google.com/go/secretmanager License: Apache-2.0 - URL: https://github.com/googleapis/google-cloud-go/blob/secretmanager/v1.16.0/secretmanager/LICENSE + URL: https://github.com/googleapis/google-cloud-go/blob/secretmanager/v1.17.0/secretmanager/LICENSE - cloud.google.com/go/storage License: Apache-2.0 @@ -107,11 +107,11 @@ APACHE 2.0 LICENSED DEPENDENCIES - github.com/aws/aws-sdk-go-v2/config License: Apache-2.0 - URL: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.32.13/config/LICENSE.txt + URL: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.32.14/config/LICENSE.txt - github.com/aws/aws-sdk-go-v2/credentials License: Apache-2.0 - URL: https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.19.13/credentials/LICENSE.txt + URL: https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.19.14/credentials/LICENSE.txt - github.com/aws/aws-sdk-go-v2/feature/ec2/imds License: Apache-2.0 @@ -119,7 +119,7 @@ APACHE 2.0 LICENSED DEPENDENCIES - github.com/aws/aws-sdk-go-v2/feature/s3/manager License: Apache-2.0 - URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/s3/manager/v1.22.11/feature/s3/manager/LICENSE.txt + URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/s3/manager/v1.22.12/feature/s3/manager/LICENSE.txt - github.com/aws/aws-sdk-go-v2/internal/configsources License: Apache-2.0 @@ -169,6 +169,10 @@ APACHE 2.0 LICENSED DEPENDENCIES License: Apache-2.0 URL: https://github.com/aws/aws-sdk-go-v2/blob/service/organizations/v1.51.0/service/organizations/LICENSE.txt + - github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi + License: Apache-2.0 + URL: https://github.com/aws/aws-sdk-go-v2/blob/service/resourcegroupstaggingapi/v1.31.10/service/resourcegroupstaggingapi/LICENSE.txt + - github.com/aws/aws-sdk-go-v2/service/s3 License: Apache-2.0 URL: https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.98.0/service/s3/LICENSE.txt @@ -177,6 +181,10 @@ APACHE 2.0 LICENSED DEPENDENCIES License: Apache-2.0 URL: https://github.com/aws/aws-sdk-go-v2/blob/service/secretsmanager/v1.41.5/service/secretsmanager/LICENSE.txt + - github.com/aws/aws-sdk-go-v2/service/securityhub + License: Apache-2.0 + URL: https://github.com/aws/aws-sdk-go-v2/blob/service/securityhub/v1.68.3/service/securityhub/LICENSE.txt + - github.com/aws/aws-sdk-go-v2/service/signin License: Apache-2.0 URL: https://github.com/aws/aws-sdk-go-v2/blob/service/signin/v1.0.9/service/signin/LICENSE.txt @@ -187,11 +195,11 @@ APACHE 2.0 LICENSED DEPENDENCIES - github.com/aws/aws-sdk-go-v2/service/sso License: Apache-2.0 - URL: https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.30.14/service/sso/LICENSE.txt + URL: https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.30.15/service/sso/LICENSE.txt - github.com/aws/aws-sdk-go-v2/service/ssooidc License: Apache-2.0 - URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.35.18/service/ssooidc/LICENSE.txt + URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.35.19/service/ssooidc/LICENSE.txt - github.com/aws/aws-sdk-go-v2/service/sts License: Apache-2.0 @@ -199,7 +207,7 @@ APACHE 2.0 LICENSED DEPENDENCIES - github.com/aws/smithy-go License: Apache-2.0 - URL: https://github.com/aws/smithy-go/blob/v1.24.2/LICENSE + URL: https://github.com/aws/smithy-go/blob/v1.24.3/LICENSE - github.com/cloudposse/atmos License: Apache-2.0 @@ -239,7 +247,7 @@ APACHE 2.0 LICENSED DEPENDENCIES - github.com/containerd/platforms License: Apache-2.0 - URL: https://github.com/containerd/platforms/blob/v1.0.0-rc.3/LICENSE + URL: https://github.com/containerd/platforms/blob/v1.0.0-rc.4/LICENSE - github.com/containerd/stargz-snapshotter/estargz License: Apache-2.0 @@ -287,7 +295,7 @@ APACHE 2.0 LICENSED DEPENDENCIES - github.com/go-jose/go-jose/v4 License: Apache-2.0 - URL: https://github.com/go-jose/go-jose/blob/v4.1.3/LICENSE + URL: https://github.com/go-jose/go-jose/blob/v4.1.4/LICENSE - github.com/go-logr/logr License: Apache-2.0 @@ -547,15 +555,15 @@ APACHE 2.0 LICENSED DEPENDENCIES - google.golang.org/genproto/googleapis License: Apache-2.0 - URL: https://github.com/googleapis/go-genproto/blob/d5a96adf58d8/LICENSE + URL: https://github.com/googleapis/go-genproto/blob/9d38bb4040a9/LICENSE - google.golang.org/genproto/googleapis/api License: Apache-2.0 - URL: https://github.com/googleapis/go-genproto/blob/d5a96adf58d8/googleapis/api/LICENSE + URL: https://github.com/googleapis/go-genproto/blob/9d38bb4040a9/googleapis/api/LICENSE - google.golang.org/genproto/googleapis/rpc License: Apache-2.0 - URL: https://github.com/googleapis/go-genproto/blob/d5a96adf58d8/googleapis/rpc/LICENSE + URL: https://github.com/googleapis/go-genproto/blob/9d38bb4040a9/googleapis/rpc/LICENSE - google.golang.org/grpc License: Apache-2.0 @@ -648,7 +656,7 @@ BSD LICENSED DEPENDENCIES - github.com/aws/smithy-go/internal/sync/singleflight License: BSD-3-Clause - URL: https://github.com/aws/smithy-go/blob/v1.24.2/internal/sync/singleflight/LICENSE + URL: https://github.com/aws/smithy-go/blob/v1.24.3/internal/sync/singleflight/LICENSE - github.com/bearsh/hid/hidapi License: BSD-3-Clause @@ -684,11 +692,11 @@ BSD LICENSED DEPENDENCIES - github.com/go-jose/go-jose/v3/json License: BSD-3-Clause - URL: https://github.com/go-jose/go-jose/blob/v3.0.4/json/LICENSE + URL: https://github.com/go-jose/go-jose/blob/v3.0.5/json/LICENSE - github.com/go-jose/go-jose/v4/json License: BSD-3-Clause - URL: https://github.com/go-jose/go-jose/blob/v4.1.3/json/LICENSE + URL: https://github.com/go-jose/go-jose/blob/v4.1.4/json/LICENSE - github.com/godbus/dbus License: BSD-2-Clause @@ -728,7 +736,7 @@ BSD LICENSED DEPENDENCIES - github.com/googleapis/gax-go/v2 License: BSD-3-Clause - URL: https://github.com/googleapis/gax-go/blob/v2.20.0/v2/LICENSE + URL: https://github.com/googleapis/gax-go/blob/v2.21.0/v2/LICENSE - github.com/gorilla/css/scanner License: BSD-3-Clause @@ -872,11 +880,11 @@ BSD LICENSED DEPENDENCIES - google.golang.org/api License: BSD-3-Clause - URL: https://github.com/googleapis/google-api-go-client/blob/v0.273.1/LICENSE + URL: https://github.com/googleapis/google-api-go-client/blob/v0.274.0/LICENSE - google.golang.org/api/internal/third_party/uritemplates License: BSD-3-Clause - URL: https://github.com/googleapis/google-api-go-client/blob/v0.273.1/internal/third_party/uritemplates/LICENSE + URL: https://github.com/googleapis/google-api-go-client/blob/v0.274.0/internal/third_party/uritemplates/LICENSE - google.golang.org/protobuf License: BSD-3-Clause @@ -957,7 +965,7 @@ MOZILLA PUBLIC LICENSE (MPL) 2.0 DEPENDENCIES - github.com/hashicorp/go-getter License: MPL-2.0 - URL: https://github.com/hashicorp/go-getter/blob/v1.8.5/LICENSE + URL: https://github.com/hashicorp/go-getter/blob/v1.8.6/LICENSE - github.com/hashicorp/go-immutable-radix License: MPL-2.0 @@ -1082,7 +1090,7 @@ MIT LICENSED DEPENDENCIES - github.com/Azure/azure-sdk-for-go/sdk/internal License: MIT - URL: https://github.com/Azure/azure-sdk-for-go/blob/sdk/internal/v1.11.2/sdk/internal/LICENSE.txt + URL: https://github.com/Azure/azure-sdk-for-go/blob/sdk/internal/v1.12.0/sdk/internal/LICENSE.txt - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions License: MIT @@ -1154,7 +1162,7 @@ MIT LICENSED DEPENDENCIES - github.com/anthropics/anthropic-sdk-go License: MIT - URL: https://github.com/anthropics/anthropic-sdk-go/blob/v1.27.1/LICENSE + URL: https://github.com/anthropics/anthropic-sdk-go/blob/v1.29.0/LICENSE - github.com/apparentlymart/go-cidr/cidr License: MIT @@ -1438,7 +1446,7 @@ MIT LICENSED DEPENDENCIES - github.com/huandu/go-sqlbuilder License: MIT - URL: https://github.com/huandu/go-sqlbuilder/blob/v1.40.0/LICENSE + URL: https://github.com/huandu/go-sqlbuilder/blob/v1.40.1/LICENSE - github.com/huandu/xstrings License: MIT @@ -1454,11 +1462,11 @@ MIT LICENSED DEPENDENCIES - github.com/itchyny/gojq License: MIT - URL: https://github.com/itchyny/gojq/blob/v0.12.18/LICENSE + URL: https://github.com/itchyny/gojq/blob/v0.12.19/LICENSE - github.com/itchyny/timefmt-go License: MIT - URL: https://github.com/itchyny/timefmt-go/blob/v0.1.7/LICENSE + URL: https://github.com/itchyny/timefmt-go/blob/v0.1.8/LICENSE - github.com/jbenet/go-context/io License: MIT @@ -1522,7 +1530,7 @@ MIT LICENSED DEPENDENCIES - github.com/lestrrat-go/dsig License: MIT - URL: https://github.com/lestrrat-go/dsig/blob/v1.0.0/LICENSE + URL: https://github.com/lestrrat-go/dsig/blob/v1.1.0/LICENSE - github.com/lestrrat-go/httpcc License: MIT @@ -1762,7 +1770,7 @@ MIT LICENSED DEPENDENCIES - github.com/yuin/gopher-lua License: MIT - URL: https://github.com/yuin/gopher-lua/blob/v1.1.1/LICENSE + URL: https://github.com/yuin/gopher-lua/blob/v1.1.2/LICENSE - github.com/zalando/go-keyring License: MIT diff --git a/agent-skills/AGENTS.md b/agent-skills/AGENTS.md index 113ce54990..59138c257f 100644 --- a/agent-skills/AGENTS.md +++ b/agent-skills/AGENTS.md @@ -73,6 +73,7 @@ When a task involves Atmos, activate the matching skill for detailed guidance. | Toolchain management: install/exec/search tools, .tool-versions, Aqua registries, custom registries, aliases | `atmos-toolchain` | `agent-skills/skills/atmos-toolchain/SKILL.md` | | Introspection: describe component/stacks/affected/dependents, list stacks/components/instances, querying, provenance | `atmos-introspection` | `agent-skills/skills/atmos-introspection/SKILL.md` | | Devcontainers: start/stop/attach/exec/shell, Docker/Podman, identity integration, instance management (experimental) | `atmos-devcontainer` | `agent-skills/skills/atmos-devcontainer/SKILL.md` | +| AWS security: analyze findings, map to components/stacks, structured remediation, compliance reports | `atmos-aws-security` | `agent-skills/skills/atmos-aws-security/SKILL.md` | ## Common Patterns diff --git a/agent-skills/skills/atmos-aws-security/SKILL.md b/agent-skills/skills/atmos-aws-security/SKILL.md new file mode 100644 index 0000000000..d031dcce9d --- /dev/null +++ b/agent-skills/skills/atmos-aws-security/SKILL.md @@ -0,0 +1,108 @@ +--- +name: atmos-aws-security +description: "AWS security finding analysis: analyze findings, map to Atmos components/stacks, generate structured remediation with exact Terraform changes and deploy commands" +metadata: + copyright: Copyright Cloud Posse, LLC 2026 + version: "1.0.0" +--- + +# Atmos AWS Security Finding Analysis + +You are analyzing AWS security findings that have been mapped to Atmos infrastructure components. +Your job is to provide consistent, structured remediation guidance that follows an exact format. + +## Output Format + +You MUST return your analysis using these exact section headers. Every section is required. +The output is parsed programmatically — do not deviate from the format. + +### Root Cause + +Explain WHY this finding exists in the infrastructure. Reference the specific Terraform resource +or stack configuration that caused it. Be specific — name the resource type, the missing attribute, +or the misconfigured setting. + +### Steps + +Return an ordered list of remediation steps. Each step should be a concrete action. +Use numbered list format: + +1. First step +2. Second step +3. Third step + +### Code Changes + +Show the specific Terraform/HCL changes needed. Use the component source code provided in the +context. Format as a diff or before/after: + +```hcl +# Before +resource "aws_s3_bucket" "this" { + bucket = var.bucket_name +} + +# After +resource "aws_s3_bucket" "this" { + bucket = var.bucket_name +} + +resource "aws_s3_bucket_versioning" "this" { + bucket = aws_s3_bucket.this.id + versioning_configuration { + status = "Enabled" + } +} +``` + +### Stack Changes + +Show the specific stack YAML changes needed. Reference the exact `vars` key to add or modify: + +```yaml +# stacks/deploy/prod/us-east-1.yaml +components: + terraform: + s3-bucket: + vars: + versioning_enabled: true +``` + +### Deploy + +Provide the exact `atmos terraform apply` command to deploy the fix: + +```bash +atmos terraform apply -s +``` + +### Risk + +Rate the risk of applying this remediation: `low`, `medium`, or `high`. +- `low` — Read-only change, no service disruption +- `medium` — Config change that may cause brief disruption +- `high` — Destructive change (resource replacement, data loss risk) + +### References + +List relevant AWS documentation URLs, CIS benchmark controls, or compliance framework references. + +## Context You Receive + +For each finding, you will receive: + +1. **Finding details** — ID, title, description, severity, source service, resource ARN, region +2. **Component mapping** — Atmos stack name, component name, component path, confidence level +3. **Component source** — The `main.tf` content from the Terraform component (if available) +4. **Stack config** — The resolved stack configuration for the component (if available) + +## Analysis Guidelines + +- Always reference the **specific Terraform resource** that needs to change. +- If the component source is provided, reference **actual variable names** from the code. +- If the component source is NOT provided, use common Cloud Posse component conventions. +- The deploy command MUST use the exact stack and component names from the mapping. +- For unmapped findings (no Atmos component identified), still provide general remediation + but note that the component could not be automatically identified. +- Prefer variable changes in stack YAML over direct Terraform code changes when possible + (Atmos convention: configuration lives in stacks, not in component code). diff --git a/cmd/aws/aws.go b/cmd/aws/aws.go index ca6cbc05ec..fed3edde10 100644 --- a/cmd/aws/aws.go +++ b/cmd/aws/aws.go @@ -3,8 +3,10 @@ package aws import ( "github.com/spf13/cobra" + awscompliance "github.com/cloudposse/atmos/cmd/aws/compliance" "github.com/cloudposse/atmos/cmd/aws/ecr" "github.com/cloudposse/atmos/cmd/aws/eks" + awssecurity "github.com/cloudposse/atmos/cmd/aws/security" "github.com/cloudposse/atmos/cmd/internal" "github.com/cloudposse/atmos/pkg/flags" "github.com/cloudposse/atmos/pkg/flags/compat" @@ -31,6 +33,12 @@ func init() { // Add EKS subcommand from the eks subpackage. awsCmd.AddCommand(eks.EksCmd) + // Add Security subcommand from the security subpackage. + awsCmd.AddCommand(awssecurity.SecurityCmd) + + // Add Compliance subcommand from the compliance subpackage. + awsCmd.AddCommand(awscompliance.ComplianceCmd) + // Register this command with the registry. internal.Register(&AWSCommandProvider{}) } diff --git a/cmd/aws/compliance/compliance.go b/cmd/aws/compliance/compliance.go new file mode 100644 index 0000000000..ee548386b3 --- /dev/null +++ b/cmd/aws/compliance/compliance.go @@ -0,0 +1,325 @@ +package compliance + +import ( + "context" + _ "embed" + "fmt" + "os" + "path/filepath" + "strings" + "time" + + "github.com/spf13/cobra" + "github.com/spf13/viper" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/auth" + "github.com/cloudposse/atmos/pkg/aws/identity" + "github.com/cloudposse/atmos/pkg/aws/security" + cfg "github.com/cloudposse/atmos/pkg/config" + "github.com/cloudposse/atmos/pkg/flags" + log "github.com/cloudposse/atmos/pkg/logger" + "github.com/cloudposse/atmos/pkg/schema" + "github.com/cloudposse/atmos/pkg/ui" +) + +//go:embed markdown/atmos_aws_compliance.md +var complianceLongMarkdown string + +// complianceParser handles flag parsing with Viper precedence for the compliance command. +var complianceParser *flags.StandardParser + +// ComplianceCmd is the parent command for compliance subcommands. +var ComplianceCmd = &cobra.Command{ + Use: "compliance", + Short: "AWS compliance commands", + Long: "Commands for generating compliance posture reports against industry frameworks.", + Args: cobra.NoArgs, +} + +// complianceReportCmd represents the aws compliance report command. +var complianceReportCmd = &cobra.Command{ + Use: "report", + Short: "Generate compliance posture reports", + Long: complianceLongMarkdown, + Args: cobra.NoArgs, + RunE: func(cmd *cobra.Command, args []string) error { + // Bind parsed flags to Viper for precedence handling. + v := viper.GetViper() + if err := complianceParser.BindFlagsToViper(cmd, v); err != nil { + return err + } + + // Get flags from Viper (supports CLI > ENV > config > defaults). + stack := v.GetString("stack") + framework := v.GetString("framework") + formatStr := v.GetString("format") + fileOutput := v.GetString("file") + controlsStr := v.GetString("controls") + identityFlag := v.GetString("identity") + + // Parse comma-separated control IDs into a set for filtering. + controlFilter := parseControlFilter(controlsStr) + + // Initialize configuration with global flags (--base-path, --config, etc.). + globalFlags := flags.ParseGlobalFlags(cmd, v) + configAndStacksInfo := schema.ConfigAndStacksInfo{ + BasePath: globalFlags.BasePath, + AtmosConfigFilesFromArg: globalFlags.Config, + AtmosConfigDirsFromArg: globalFlags.ConfigPath, + ProfilesFromArg: globalFlags.Profile, + } + atmosConfig, err := cfg.InitCliConfig(configAndStacksInfo, true) + if err != nil { + return err + } + + // Check if AWS security features are enabled. + if !atmosConfig.AWS.Security.Enabled { + return errUtils.Build(errUtils.ErrAWSSecurityNotEnabled). + WithHint("Add `aws.security.enabled: true` to your `atmos.yaml`"). + WithHint("See https://atmos.tools/cli/configuration/aws for configuration reference"). + WithExitCode(2). + Err() + } + + // Validate output format. + outputFormat, err := security.ParseOutputFormat(formatStr) + if err != nil { + return err + } + + // Validate framework if specified. + if framework != "" { + if err := validateFramework(framework); err != nil { + return err + } + } + + // Resolve Atmos Auth identity (from --identity flag or config). + identityName := identityFlag + if identityName == "" { + identityName = atmosConfig.AWS.Security.Identity + } + authCtx, err := authenticateAndResolveAWS(&atmosConfig, identityName) + if err != nil { + return err + } + + // Validate AWS credentials early before attempting any API calls. + credCtx, credCancel := context.WithTimeout(context.Background(), 15*time.Second) + defer credCancel() + if err := identity.ValidateAWSCredentials(credCtx, "", authCtx); err != nil { + return err + } + + log.Debug("Running compliance report", + "stack", stack, + "framework", framework, + "format", formatStr, + "controls", controlsStr, + ) + + // Create context with timeout. + timeoutSeconds := 120 + if atmosConfig.AI.TimeoutSeconds > 0 { + timeoutSeconds = atmosConfig.AI.TimeoutSeconds + } + ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeoutSeconds)*time.Second) + defer cancel() + + // Determine which frameworks to report on. + frameworks := atmosConfig.AWS.Security.Frameworks + if framework != "" { + frameworks = []string{framework} + } + if len(frameworks) == 0 { + frameworks = []string{"cis-aws"} + } + + // Fetch compliance status for each framework. + if outputFormat == security.FormatMarkdown { + ui.Info("Generating compliance report...") + } + + // Determine output destination. + output := os.Stdout + if fileOutput != "" { + dir := filepath.Dir(fileOutput) + if err := os.MkdirAll(dir, 0o755); err != nil { + return fmt.Errorf("failed to create output directory %q: %w", dir, err) + } + f, err := os.Create(fileOutput) + if err != nil { + return fmt.Errorf("failed to create output file %q: %w", fileOutput, err) + } + defer f.Close() + output = f + } + + fetcher := security.NewFindingFetcher(&atmosConfig, authCtx) + renderer := security.NewReportRenderer(outputFormat) + + for _, fw := range frameworks { + report, err := fetcher.FetchComplianceStatus(ctx, fw, stack) + if err != nil { + return fmt.Errorf("%w: %w", errUtils.ErrAWSSecurityFetchFailed, err) + } + + if report == nil { + if outputFormat == security.FormatMarkdown { + ui.Warningf("No compliance data available for framework: %s", fw) + } + continue + } + + // Filter report to specific control IDs if --controls was provided. + if len(controlFilter) > 0 { + report = filterComplianceReport(report, controlFilter) + } + + // For Markdown to stdout, render with colors via ui.Markdown(). + if outputFormat == security.FormatMarkdown && fileOutput == "" { + var buf strings.Builder + if err := renderer.RenderComplianceReport(&buf, report); err != nil { + return err + } + ui.Markdown(buf.String()) + } else { + if err := renderer.RenderComplianceReport(output, report); err != nil { + return err + } + } + } + + if fileOutput != "" { + ui.Successf("Report saved to %s", fileOutput) + } + + return nil + }, +} + +func init() { + // Create parser with compliance-specific flags using functional options. + complianceParser = flags.NewStandardParser( + flags.WithStringFlag("stack", "s", "", "Target stack"), + flags.WithStringFlag("framework", "", "", "Compliance framework: cis-aws, pci-dss, soc2, hipaa, nist"), + flags.WithStringFlag("format", "f", "markdown", "Output format: markdown, json, yaml, csv"), + flags.WithStringFlag("file", "", "", "Write output to file instead of stdout"), + flags.WithStringFlag("controls", "", "", "Specific control IDs to check"), + flags.WithStringFlag("identity", "i", "", "Atmos Auth identity for AWS credentials"), + flags.WithEnvVars("stack", "ATMOS_STACK"), + flags.WithEnvVars("identity", "ATMOS_AWS_SECURITY_IDENTITY"), + flags.WithEnvVars("framework", "ATMOS_AWS_COMPLIANCE_FRAMEWORK"), + flags.WithEnvVars("format", "ATMOS_AWS_COMPLIANCE_FORMAT"), + ) + + // Register flags on the report subcommand. + complianceParser.RegisterFlags(complianceReportCmd) + + // Bind flags to Viper for environment variable support. + if err := complianceParser.BindToViper(viper.GetViper()); err != nil { + panic(err) + } + + ComplianceCmd.AddCommand(complianceReportCmd) +} + +// parseControlFilter parses a comma-separated list of control IDs into a set. +// Returns nil if the input is empty, meaning no filtering should be applied. +func parseControlFilter(controlsStr string) map[string]bool { + controlsStr = strings.TrimSpace(controlsStr) + if controlsStr == "" { + return nil + } + filter := make(map[string]bool) + for _, id := range strings.Split(controlsStr, ",") { + id = strings.TrimSpace(id) + if id != "" { + filter[id] = true + } + } + return filter +} + +// filterComplianceReport returns a copy of the report containing only the controls +// whose IDs match the given filter set. Counts are recalculated accordingly. +func filterComplianceReport(report *security.ComplianceReport, controlFilter map[string]bool) *security.ComplianceReport { + filtered := make([]security.ComplianceControl, 0, len(report.FailingDetails)) + for _, ctrl := range report.FailingDetails { + if controlFilter[ctrl.ControlID] { + filtered = append(filtered, ctrl) + } + } + + // Build a new report with recalculated counts. + filteredReport := *report + filteredReport.FailingDetails = filtered + filteredReport.FailingControls = len(filtered) + filteredReport.TotalControls = len(filtered) + report.PassingControls + if filteredReport.TotalControls > 0 { + const percentMultiplier = 100 + filteredReport.ScorePercent = float64(report.PassingControls) / float64(filteredReport.TotalControls) * percentMultiplier + } else { + filteredReport.ScorePercent = 0 + } + return &filteredReport +} + +// logKeyIdentity is the log key for identity name. +const logKeyIdentity = "identity" + +// authenticateAndResolveAWS authenticates an Atmos Auth identity and returns the AWSAuthContext. +// Uses the standard auth flow (same as Terraform, S3 backend): authenticate → read AuthContext.AWS. +// Returns nil if identityName is empty (use default AWS credential chain). +func authenticateAndResolveAWS(atmosConfig *schema.AtmosConfiguration, identityName string) (*schema.AWSAuthContext, error) { + if identityName == "" { + return nil, nil + } + + log.Debug("Authenticating Atmos Auth identity", logKeyIdentity, identityName) + + authManager, err := auth.CreateAndAuthenticateManagerWithAtmosConfig( + identityName, + &atmosConfig.Auth, + cfg.IdentityFlagSelectValue, + atmosConfig, + ) + if err != nil { + return nil, fmt.Errorf("failed to authenticate identity %q: %w", identityName, err) + } + + if authManager == nil { + return nil, nil + } + + stackInfo := authManager.GetStackInfo() + if stackInfo == nil || stackInfo.AuthContext == nil || stackInfo.AuthContext.AWS == nil { + return nil, fmt.Errorf("%w: identity %q authenticated but no AWS credentials were produced", + errUtils.ErrAWSCredentialsNotValid, identityName) + } + + authCtx := stackInfo.AuthContext.AWS + log.Debug("Resolved AWS auth context", + logKeyIdentity, identityName, + "profile", authCtx.Profile, + "region", authCtx.Region, + ) + return authCtx, nil +} + +// validateFramework checks that the framework name is valid. +func validateFramework(framework string) error { + validFrameworks := map[string]bool{ + "cis-aws": true, + "pci-dss": true, + "soc2": true, + "hipaa": true, + "nist": true, + } + if !validFrameworks[framework] { + return errUtils.ErrAWSSecurityInvalidFramework + } + return nil +} diff --git a/cmd/aws/compliance/compliance_test.go b/cmd/aws/compliance/compliance_test.go new file mode 100644 index 0000000000..086b1f0c85 --- /dev/null +++ b/cmd/aws/compliance/compliance_test.go @@ -0,0 +1,377 @@ +package compliance + +import ( + "errors" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/aws/security" +) + +func TestValidateFramework(t *testing.T) { + tests := []struct { + name string + framework string + wantErr bool + }{ + {"cis-aws valid", "cis-aws", false}, + {"pci-dss valid", "pci-dss", false}, + {"soc2 valid", "soc2", false}, + {"hipaa valid", "hipaa", false}, + {"nist valid", "nist", false}, + {"invalid framework", "iso-27001", true}, + {"empty string", "", true}, + {"random string", "foo", true}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := validateFramework(tt.framework) + if tt.wantErr { + require.Error(t, err) + } else { + require.NoError(t, err) + } + }) + } +} + +func TestValidateFramework_ErrorType(t *testing.T) { + // Verify that invalid framework errors are the correct sentinel. + tests := []struct { + name string + framework string + }{ + {"iso-27001", "iso-27001"}, + {"empty", ""}, + {"random", "foo"}, + {"fedramp", "fedramp"}, + {"gdpr", "gdpr"}, + {"case sensitive cis", "CIS-AWS"}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := validateFramework(tt.framework) + require.Error(t, err) + assert.True(t, errors.Is(err, errUtils.ErrAWSSecurityInvalidFramework), + "expected ErrAWSSecurityInvalidFramework, got: %v", err) + }) + } +} + +func TestValidateFramework_AllValidFrameworks(t *testing.T) { + // Exhaustively test all valid frameworks. + validFrameworks := []string{"cis-aws", "pci-dss", "soc2", "hipaa", "nist"} + for _, fw := range validFrameworks { + t.Run(fw, func(t *testing.T) { + err := validateFramework(fw) + require.NoError(t, err, "framework %q should be valid", fw) + }) + } +} + +func TestValidateFramework_CaseSensitive(t *testing.T) { + // Framework validation should be case-sensitive (all lowercase). + tests := []struct { + name string + framework string + }{ + {"uppercase CIS-AWS", "CIS-AWS"}, + {"mixed case Hipaa", "Hipaa"}, + {"uppercase NIST", "NIST"}, + {"uppercase PCI-DSS", "PCI-DSS"}, + {"uppercase SOC2", "SOC2"}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := validateFramework(tt.framework) + require.Error(t, err, "framework %q (wrong case) should be invalid", tt.framework) + }) + } +} + +func TestComplianceReportFileFlag(t *testing.T) { + // Verify the --file flag is registered on the report subcommand. + flag := complianceReportCmd.Flags().Lookup("file") + require.NotNil(t, flag, "complianceReportCmd should have --file flag") + assert.Equal(t, "", flag.DefValue, "--file default should be empty") + assert.Equal(t, "string", flag.Value.Type(), "--file should be a string flag") +} + +func TestComplianceSubcommandRegistered(t *testing.T) { + cmd := ComplianceCmd + // Verify the report subcommand exists under compliance. + var foundReport bool + for _, sub := range cmd.Commands() { + if sub.Use == "report" { + foundReport = true + break + } + } + assert.True(t, foundReport, "compliance command should have report subcommand") +} + +func TestComplianceReportAllFlagsRegistered(t *testing.T) { + // Verify all expected flags are registered on complianceReportCmd. + tests := []struct { + name string + flagName string + defValue string + flagType string + }{ + {"stack flag", "stack", "", "string"}, + {"framework flag", "framework", "", "string"}, + {"format flag", "format", "markdown", "string"}, + {"file flag", "file", "", "string"}, + {"controls flag", "controls", "", "string"}, + {"identity flag", "identity", "", "string"}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + f := complianceReportCmd.Flags().Lookup(tt.flagName) + require.NotNil(t, f, "flag %q should be registered", tt.flagName) + assert.Equal(t, tt.defValue, f.DefValue, "flag %q default", tt.flagName) + assert.Equal(t, tt.flagType, f.Value.Type(), "flag %q type", tt.flagName) + }) + } +} + +func TestComplianceReportFlagShorthand(t *testing.T) { + // Verify shorthand aliases for key flags. + tests := []struct { + name string + flagName string + shorthand string + }{ + {"stack shorthand", "stack", "s"}, + {"format shorthand", "format", "f"}, + {"identity shorthand", "identity", "i"}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + f := complianceReportCmd.Flags().Lookup(tt.flagName) + require.NotNil(t, f, "flag %q should be registered", tt.flagName) + assert.Equal(t, tt.shorthand, f.Shorthand, "flag %q shorthand", tt.flagName) + }) + } +} + +func TestComplianceCmdUsesNoArgs(t *testing.T) { + // Both compliance and compliance report commands should accept no positional args. + assert.NotNil(t, ComplianceCmd.Args, "ComplianceCmd should have Args set") + assert.NotNil(t, complianceReportCmd.Args, "complianceReportCmd should have Args set") +} + +func TestComplianceCmdAttributes(t *testing.T) { + // Verify compliance command metadata. + assert.Equal(t, "compliance", ComplianceCmd.Use) + assert.Contains(t, ComplianceCmd.Short, "compliance") + assert.Contains(t, ComplianceCmd.Long, "compliance") +} + +func TestComplianceReportCmdAttributes(t *testing.T) { + // Verify the report subcommand metadata. + assert.Equal(t, "report", complianceReportCmd.Use) + assert.Contains(t, complianceReportCmd.Short, "compliance") + assert.NotNil(t, complianceReportCmd.RunE, "complianceReportCmd should have RunE set") +} + +func TestValidateFramework_MultipleInSequence(t *testing.T) { + // Simulate validating multiple frameworks in sequence, like the compliance + // command does when processing framework lists. + frameworks := []string{"cis-aws", "pci-dss", "soc2", "hipaa", "nist"} + for _, fw := range frameworks { + err := validateFramework(fw) + require.NoError(t, err, "framework %q should validate successfully in sequence", fw) + } +} + +func TestValidateFramework_InvalidInSequence(t *testing.T) { + // When validating a list of frameworks, an invalid one should be caught. + frameworks := []string{"cis-aws", "pci-dss", "invalid-framework", "hipaa"} + for _, fw := range frameworks { + err := validateFramework(fw) + if fw == "invalid-framework" { + require.Error(t, err, "framework %q should fail validation", fw) + assert.True(t, errors.Is(err, errUtils.ErrAWSSecurityInvalidFramework)) + } else { + require.NoError(t, err, "framework %q should pass validation", fw) + } + } +} + +func TestParseControlFilter(t *testing.T) { + tests := []struct { + name string + input string + expected map[string]bool + }{ + { + "empty string returns nil", + "", + nil, + }, + { + "whitespace only returns nil", + " ", + nil, + }, + { + "single control", + "CIS.1.1", + map[string]bool{"CIS.1.1": true}, + }, + { + "multiple controls", + "CIS.1.1,CIS.2.3,CIS.3.1", + map[string]bool{"CIS.1.1": true, "CIS.2.3": true, "CIS.3.1": true}, + }, + { + "controls with whitespace", + " CIS.1.1 , CIS.2.3 ", + map[string]bool{"CIS.1.1": true, "CIS.2.3": true}, + }, + { + "trailing comma produces no empty entry", + "CIS.1.1,CIS.2.3,", + map[string]bool{"CIS.1.1": true, "CIS.2.3": true}, + }, + { + "leading comma produces no empty entry", + ",CIS.1.1", + map[string]bool{"CIS.1.1": true}, + }, + { + "duplicate controls collapsed", + "CIS.1.1,CIS.1.1", + map[string]bool{"CIS.1.1": true}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := parseControlFilter(tt.input) + if tt.expected == nil { + assert.Nil(t, result) + } else { + assert.Equal(t, tt.expected, result) + } + }) + } +} + +func TestFilterComplianceReport(t *testing.T) { + baseReport := &security.ComplianceReport{ + GeneratedAt: time.Now().UTC(), + Stack: "prod", + Framework: "cis-aws", + FrameworkTitle: "CIS AWS Foundations Benchmark", + TotalControls: 10, + PassingControls: 7, + FailingControls: 3, + ScorePercent: 70.0, + FailingDetails: []security.ComplianceControl{ + {ControlID: "CIS.1.1", Title: "Root account MFA", Severity: security.SeverityCritical}, + {ControlID: "CIS.2.3", Title: "CloudTrail encryption", Severity: security.SeverityHigh}, + {ControlID: "CIS.3.1", Title: "S3 bucket logging", Severity: security.SeverityMedium}, + }, + } + + t.Run("filter matches subset of controls", func(t *testing.T) { + filter := map[string]bool{"CIS.1.1": true, "CIS.3.1": true} + result := filterComplianceReport(baseReport, filter) + + require.Len(t, result.FailingDetails, 2) + assert.Equal(t, "CIS.1.1", result.FailingDetails[0].ControlID) + assert.Equal(t, "CIS.3.1", result.FailingDetails[1].ControlID) + assert.Equal(t, 2, result.FailingControls) + // TotalControls = filtered failing + original passing. + assert.Equal(t, 9, result.TotalControls) + }) + + t.Run("filter matches no controls", func(t *testing.T) { + filter := map[string]bool{"CIS.99.99": true} + result := filterComplianceReport(baseReport, filter) + + assert.Empty(t, result.FailingDetails) + assert.Equal(t, 0, result.FailingControls) + assert.Equal(t, 7, result.TotalControls) // only passing remain. + assert.Equal(t, 100.0, result.ScorePercent) + }) + + t.Run("filter matches all failing controls", func(t *testing.T) { + filter := map[string]bool{"CIS.1.1": true, "CIS.2.3": true, "CIS.3.1": true} + result := filterComplianceReport(baseReport, filter) + + require.Len(t, result.FailingDetails, 3) + assert.Equal(t, 3, result.FailingControls) + assert.Equal(t, 10, result.TotalControls) + assert.InDelta(t, 70.0, result.ScorePercent, 0.1) + }) + + t.Run("filter single control", func(t *testing.T) { + filter := map[string]bool{"CIS.2.3": true} + result := filterComplianceReport(baseReport, filter) + + require.Len(t, result.FailingDetails, 1) + assert.Equal(t, "CIS.2.3", result.FailingDetails[0].ControlID) + assert.Equal(t, 1, result.FailingControls) + assert.Equal(t, 8, result.TotalControls) // 7 passing + 1 failing. + assert.InDelta(t, 87.5, result.ScorePercent, 0.1) + }) + + t.Run("original report is not mutated", func(t *testing.T) { + filter := map[string]bool{"CIS.1.1": true} + _ = filterComplianceReport(baseReport, filter) + + // Original report should be unchanged. + assert.Equal(t, 3, baseReport.FailingControls) + assert.Equal(t, 10, baseReport.TotalControls) + assert.Equal(t, 70.0, baseReport.ScorePercent) + require.Len(t, baseReport.FailingDetails, 3) + }) + + t.Run("preserves metadata fields", func(t *testing.T) { + filter := map[string]bool{"CIS.1.1": true} + result := filterComplianceReport(baseReport, filter) + + assert.Equal(t, "prod", result.Stack) + assert.Equal(t, "cis-aws", result.Framework) + assert.Equal(t, "CIS AWS Foundations Benchmark", result.FrameworkTitle) + assert.Equal(t, baseReport.GeneratedAt, result.GeneratedAt) + }) + + t.Run("zero passing controls with empty filter", func(t *testing.T) { + noPassingReport := &security.ComplianceReport{ + TotalControls: 2, + PassingControls: 0, + FailingControls: 2, + ScorePercent: 0.0, + FailingDetails: []security.ComplianceControl{ + {ControlID: "CIS.1.1", Title: "Root account MFA", Severity: security.SeverityCritical}, + {ControlID: "CIS.2.3", Title: "CloudTrail encryption", Severity: security.SeverityHigh}, + }, + } + filter := map[string]bool{"NONEXISTENT": true} + result := filterComplianceReport(noPassingReport, filter) + + assert.Equal(t, 0, result.FailingControls) + assert.Equal(t, 0, result.TotalControls) + assert.Equal(t, 0.0, result.ScorePercent) + }) +} + +func TestAuthenticateAndResolveAWS_EmptyIdentity(t *testing.T) { + // Empty identity should return nil without error. + authCtx, err := authenticateAndResolveAWS(nil, "") + require.NoError(t, err) + assert.Nil(t, authCtx) +} diff --git a/cmd/aws/compliance/markdown/atmos_aws_compliance.md b/cmd/aws/compliance/markdown/atmos_aws_compliance.md new file mode 100644 index 0000000000..10111e1cb2 --- /dev/null +++ b/cmd/aws/compliance/markdown/atmos_aws_compliance.md @@ -0,0 +1,26 @@ +Generate compliance posture reports against specific frameworks. + +Retrieves compliance status from AWS Security Hub enabled standards, maps failing controls to +Atmos components, and generates reports with remediation guidance. + +## Examples + +```shell +# CIS AWS Foundations Benchmark report +$ atmos aws compliance report --framework cis-aws --stack prod-us-east-1 + +# PCI DSS compliance status +$ atmos aws compliance report --framework pci-dss + +# All frameworks for a stack +$ atmos aws compliance report --stack prod-us-east-1 + +# Output as JSON +$ atmos aws compliance report --framework cis-aws --format json + +# Save report to a file +$ atmos aws compliance report --framework cis-aws --stack prod-us-east-1 --file compliance-report.md + +# Save JSON report to a file +$ atmos aws compliance report --framework pci-dss --format json --file pci-report.json +``` diff --git a/cmd/aws/security/markdown/atmos_aws_security.md b/cmd/aws/security/markdown/atmos_aws_security.md new file mode 100644 index 0000000000..0b4633b729 --- /dev/null +++ b/cmd/aws/security/markdown/atmos_aws_security.md @@ -0,0 +1,33 @@ +Analyze AWS security findings and map them to Atmos components and stacks. + +Connects to AWS Security Hub, Config, Inspector, GuardDuty, and other security services via Atmos Auth, +maps findings to the Terraform/Atmos components that manage the affected resources, and generates +remediation reports with concrete code changes. + +## Examples + +```shell +# Analyze findings for a specific stack +$ atmos aws security analyze --stack prod-us-east-1 + +# Filter by severity +$ atmos aws security analyze --stack prod-us-east-1 --severity critical,high + +# Filter by source service +$ atmos aws security analyze --stack prod-us-east-1 --source security-hub + +# Output as JSON for CI/CD integration +$ atmos aws security analyze --stack prod-us-east-1 --format json + +# Enable AI-powered analysis +$ atmos aws security analyze --stack prod-us-east-1 --ai + +# Output as CSV for compliance reporting +$ atmos aws security analyze --format csv > findings.csv + +# Save report to a file +$ atmos aws security analyze --stack prod-us-east-1 --file security-report.md + +# Save JSON report to a file +$ atmos aws security analyze --stack prod-us-east-1 --format json --file findings.json +``` diff --git a/cmd/aws/security/security.go b/cmd/aws/security/security.go new file mode 100644 index 0000000000..7c9ba29cac --- /dev/null +++ b/cmd/aws/security/security.go @@ -0,0 +1,506 @@ +package security + +import ( + "context" + _ "embed" + "fmt" + "os" + "path/filepath" + "strings" + "time" + + "github.com/spf13/cobra" + "github.com/spf13/viper" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/ai/tools" + atmosTools "github.com/cloudposse/atmos/pkg/ai/tools/atmos" + "github.com/cloudposse/atmos/pkg/ai/tools/permission" + "github.com/cloudposse/atmos/pkg/auth" + "github.com/cloudposse/atmos/pkg/aws/identity" + pkgsecurity "github.com/cloudposse/atmos/pkg/aws/security" + cfg "github.com/cloudposse/atmos/pkg/config" + "github.com/cloudposse/atmos/pkg/flags" + log "github.com/cloudposse/atmos/pkg/logger" + "github.com/cloudposse/atmos/pkg/schema" + "github.com/cloudposse/atmos/pkg/ui" +) + +// defaultMaxFindings is the default maximum number of security findings to fetch. +// Set high enough to capture findings across all accounts in a multi-account org. +// AI cost is controlled separately (only mapped findings are sent to AI). +const defaultMaxFindings = 500 + +//go:embed markdown/atmos_aws_security.md +var securityLongMarkdown string + +// securityParser handles flag parsing with Viper precedence for the security command. +var securityParser *flags.StandardParser + +// SecurityCmd is the parent command for security subcommands. +var SecurityCmd = &cobra.Command{ + Use: "security", + Short: "AWS security commands", + Long: "Commands for analyzing AWS security findings and mapping them to Atmos components.", + Args: cobra.NoArgs, +} + +// securityAnalyzeCmd represents the aws security analyze command. +var securityAnalyzeCmd = &cobra.Command{ + Use: "analyze", + Short: "Analyze AWS security findings for Atmos stacks", + Long: securityLongMarkdown, + Args: cobra.NoArgs, + RunE: func(cmd *cobra.Command, args []string) error { + // Bind parsed flags to Viper for precedence handling. + v := viper.GetViper() + if err := securityParser.BindFlagsToViper(cmd, v); err != nil { + return err + } + + // Get flags from Viper (supports CLI > ENV > config > defaults). + stack := v.GetString("stack") + component := v.GetString("component") + severityStr := v.GetString("severity") + sourceStr := v.GetString("source") + formatStr := v.GetString("format") + fileOutput := v.GetString("file") + maxFindings := v.GetInt("max-findings") + useAI := v.GetBool("ai") + region := v.GetString("region") + identityFlag := v.GetString("identity") + noGroup := v.GetBool("no-group") + frameworkStr := v.GetString("framework") + + // Initialize configuration with global flags (--base-path, --config, etc.). + globalFlags := flags.ParseGlobalFlags(cmd, v) + configAndStacksInfo := schema.ConfigAndStacksInfo{ + BasePath: globalFlags.BasePath, + AtmosConfigFilesFromArg: globalFlags.Config, + AtmosConfigDirsFromArg: globalFlags.ConfigPath, + ProfilesFromArg: globalFlags.Profile, + } + atmosConfig, err := cfg.InitCliConfig(configAndStacksInfo, true) + if err != nil { + return err + } + + // Check if AWS security features are enabled. + if !atmosConfig.AWS.Security.Enabled { + return errUtils.Build(errUtils.ErrAWSSecurityNotEnabled). + WithHint("Add `aws.security.enabled: true` to your `atmos.yaml`"). + WithHint("See https://atmos.tools/cli/configuration/aws for configuration reference"). + WithExitCode(2). + Err() + } + + // If --ai flag is passed, check that AI is enabled in configuration. + if useAI && !atmosConfig.AI.Enabled { + return errUtils.Build(errUtils.ErrAINotEnabled). + WithExplanation("The `--ai` flag enables AI-powered analysis but requires an AI provider to be configured."). + WithHint("Add `ai.enabled: true` to your `atmos.yaml`"). + WithHint("Configure a provider under `ai.providers` (e.g. `anthropic`, `bedrock`, `openai`)"). + WithHint("See https://atmos.tools/cli/configuration/ai for provider setup"). + WithExitCode(2). + Err() + } + + // Validate and parse flags. + outputFormat, err := pkgsecurity.ParseOutputFormat(formatStr) + if err != nil { + return err + } + + source, err := parseSource(sourceStr) + if err != nil { + return err + } + + severities, err := parseSeverities(severityStr, atmosConfig.AWS.Security.DefaultSeverity) + if err != nil { + return err + } + + if maxFindings <= 0 { + maxFindings = atmosConfig.AWS.Security.MaxFindings + if maxFindings <= 0 { + maxFindings = defaultMaxFindings + } + } + + // Resolve region (from --region flag or config). + if region == "" { + region = atmosConfig.AWS.Security.Region + } + + // Resolve Atmos Auth identity (from --identity flag or config). + identityName := identityFlag + if identityName == "" { + identityName = atmosConfig.AWS.Security.Identity + } + authCtx, err := authenticateAndResolveAWS(&atmosConfig, identityName) + if err != nil { + return err + } + + // Validate AWS credentials early before attempting any API calls. + credCtx, credCancel := context.WithTimeout(context.Background(), 15*time.Second) + defer credCancel() + if err := identity.ValidateAWSCredentials(credCtx, region, authCtx); err != nil { + return err + } + + // Note: stack and component are NOT passed to QueryOptions because + // Security Hub has no concept of Atmos stacks. Filtering by stack/component + // happens AFTER mapping (see filterByStackAndComponent below). + opts := pkgsecurity.QueryOptions{ + Severity: severities, + Source: source, + Framework: frameworkStr, + MaxFindings: maxFindings, + Region: region, + NoAI: !useAI, + } + + log.Debug("Running security analysis", + "stack", stack, + "component", component, + "severity", severityStr, + "source", sourceStr, + "format", formatStr, + "max_findings", maxFindings, + "ai", useAI, + ) + + // Create context with timeout. + // AI analysis with multi-turn tools and retries needs more time than simple API calls. + defaultTimeout := 120 + if useAI { + defaultTimeout = 300 + } + timeoutSeconds := defaultTimeout + if atmosConfig.AI.TimeoutSeconds > 0 { + timeoutSeconds = atmosConfig.AI.TimeoutSeconds + } + ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeoutSeconds)*time.Second) + defer cancel() + + // Fetch findings. + if outputFormat == pkgsecurity.FormatMarkdown { + ui.Info("Fetching security findings...") + } + fetcher := pkgsecurity.NewFindingFetcher(&atmosConfig, authCtx) + findings, err := fetcher.FetchFindings(ctx, &opts) + if err != nil { + return fmt.Errorf("%w: %w", errUtils.ErrAWSSecurityFetchFailed, err) + } + + if len(findings) == 0 { + ui.Success("No security findings match the specified filters. No report written.") + return nil + } + + // Map findings to Atmos components. + if outputFormat == pkgsecurity.FormatMarkdown { + ui.Infof("Mapping %d findings to Atmos components...", len(findings)) + } + mapper := pkgsecurity.NewComponentMapper(&atmosConfig, authCtx) + findings, err = mapper.MapFindings(ctx, findings) + if err != nil { + return fmt.Errorf("%w: %w", errUtils.ErrAWSSecurityMappingFailed, err) + } + + // Filter by stack and component AFTER mapping. + // Security Hub doesn't know about Atmos stacks — we can only filter after + // findings are mapped to components/stacks via tags or heuristics. + if stack != "" || component != "" { + findings = filterByStackAndComponent(findings, stack, component) + ui.Infof("Filtered to %d findings matching stack=%q component=%q", len(findings), stack, component) + if len(findings) == 0 { + ui.Success("No findings match the specified stack/component after mapping. No report written.") + return nil + } + } + + // AI analysis (only when --ai flag is set). + if useAI { + if outputFormat == pkgsecurity.FormatMarkdown { + ui.Info("Analyzing findings with AI...") + } + + // Initialize read-only tools for multi-turn analysis (API providers). + // CLI providers fall back to single-prompt mode automatically. + var toolReg *tools.Registry + var toolExec *tools.Executor + if atmosConfig.AI.Tools.Enabled { + toolReg, toolExec = initReadOnlyTools(&atmosConfig) + } + + analyzer, analyzerErr := pkgsecurity.NewFindingAnalyzer(ctx, &atmosConfig, toolReg, toolExec) + if analyzerErr != nil { + ui.Warningf("AI analysis unavailable: %s (continuing without AI)", analyzerErr) + } else { + findings, err = analyzer.AnalyzeFindings(ctx, findings) + if err != nil { + return fmt.Errorf("%w: %w", errUtils.ErrAWSSecurityAnalysisFailed, err) + } + } + } + + // Build report. + tagMapping := &atmosConfig.AWS.Security.TagMapping + report := buildSecurityReport(findings, stack, component, tagMapping) + report.GroupFindings = !noGroup + + // Determine output destination. + output := os.Stdout + if fileOutput != "" { + dir := filepath.Dir(fileOutput) + if err := os.MkdirAll(dir, 0o755); err != nil { + return fmt.Errorf("failed to create output directory %q: %w", dir, err) + } + f, err := os.Create(fileOutput) + if err != nil { + return fmt.Errorf("failed to create output file %q: %w", fileOutput, err) + } + defer f.Close() + output = f + } + + // Render output. + renderer := pkgsecurity.NewReportRenderer(outputFormat) + + // For Markdown to stdout, render with colors via ui.Markdown(). + if outputFormat == pkgsecurity.FormatMarkdown && fileOutput == "" { + var buf strings.Builder + if err := renderer.RenderSecurityReport(&buf, report); err != nil { + return err + } + ui.Markdown(buf.String()) + } else { + if err := renderer.RenderSecurityReport(output, report); err != nil { + return err + } + if fileOutput != "" { + ui.Successf("Report saved to %s", fileOutput) + } + } + + return nil + }, +} + +func init() { + // Create parser with security-specific flags using functional options. + securityParser = flags.NewStandardParser( + flags.WithStringFlag("stack", "s", "", "Target stack to analyze"), + flags.WithStringFlag("component", "c", "", "Target component within the stack"), + flags.WithStringFlag("severity", "", "critical,high", "Comma-separated severity filter"), + flags.WithStringFlag("source", "", "all", "Finding source: security-hub, config, inspector, guardduty, macie, access-analyzer, all"), + flags.WithStringFlag("framework", "", "", "Compliance framework filter"), + flags.WithStringFlag("format", "f", "markdown", "Output format: markdown, json, yaml, csv"), + flags.WithStringFlag("file", "", "", "Write output to file instead of stdout"), + flags.WithIntFlag("max-findings", "", defaultMaxFindings, "Maximum findings to analyze"), + flags.WithStringFlag("region", "", "", "AWS region override"), + flags.WithStringFlag("identity", "i", "", "Atmos Auth identity for AWS credentials"), + flags.WithBoolFlag("no-group", "", false, "Disable grouping of duplicate findings"), + flags.WithEnvVars("stack", "ATMOS_STACK"), + flags.WithEnvVars("identity", "ATMOS_AWS_SECURITY_IDENTITY"), + flags.WithEnvVars("format", "ATMOS_AWS_SECURITY_FORMAT"), + flags.WithEnvVars("max-findings", "ATMOS_AWS_SECURITY_MAX_FINDINGS"), + flags.WithEnvVars("region", "ATMOS_AWS_SECURITY_REGION"), + ) + + // Register flags on the analyze subcommand. + securityParser.RegisterFlags(securityAnalyzeCmd) + + // Bind flags to Viper for environment variable support. + if err := securityParser.BindToViper(viper.GetViper()); err != nil { + panic(err) + } + + SecurityCmd.AddCommand(securityAnalyzeCmd) +} + +// Finding is a type alias for the security package Finding type (used in buildSecurityReport). +type Finding = pkgsecurity.Finding + +// buildSecurityReport constructs a Report from mapped findings. +func buildSecurityReport(findings []Finding, stack, component string, tagMapping *schema.AWSSecurityTagMapping) *pkgsecurity.Report { + report := &pkgsecurity.Report{ + GeneratedAt: time.Now().UTC(), + Stack: stack, + Component: component, + TotalFindings: len(findings), + SeverityCounts: make(map[pkgsecurity.Severity]int), + Findings: findings, + TagMapping: tagMapping, + } + + for i := range findings { + report.SeverityCounts[findings[i].Severity]++ + if findings[i].Mapping != nil && findings[i].Mapping.Mapped { + report.MappedCount++ + } else { + report.UnmappedCount++ + } + } + + return report +} + +// parseSource validates and returns the finding source. +func parseSource(source string) (pkgsecurity.Source, error) { + switch strings.ToLower(source) { + case "all", "": + return pkgsecurity.SourceAll, nil + case "security-hub", "securityhub": + return pkgsecurity.SourceSecurityHub, nil + case "config": + return pkgsecurity.SourceConfig, nil + case "inspector": + return pkgsecurity.SourceInspector, nil + case "guardduty": + return pkgsecurity.SourceGuardDuty, nil + case "macie": + return pkgsecurity.SourceMacie, nil + case "access-analyzer", "accessanalyzer": + return pkgsecurity.SourceAccessAnalyzer, nil + default: + return "", errUtils.ErrAWSSecurityInvalidSource + } +} + +// severityMap maps severity name strings to their typed constants. +var severityMap = map[string]pkgsecurity.Severity{ + "CRITICAL": pkgsecurity.SeverityCritical, + "HIGH": pkgsecurity.SeverityHigh, + "MEDIUM": pkgsecurity.SeverityMedium, + "LOW": pkgsecurity.SeverityLow, + "INFORMATIONAL": pkgsecurity.SeverityInformational, +} + +// parseSeverities parses and validates the severity filter string. +func parseSeverities(severityStr string, defaults []string) ([]pkgsecurity.Severity, error) { + if severityStr == "" && len(defaults) == 0 { + return []pkgsecurity.Severity{pkgsecurity.SeverityCritical, pkgsecurity.SeverityHigh}, nil + } + + parts := strings.Split(severityStr, ",") + if severityStr == "" { + parts = defaults + } + + var severities []pkgsecurity.Severity + for _, p := range parts { + sev, ok := severityMap[strings.ToUpper(strings.TrimSpace(p))] + if !ok { + return nil, errUtils.ErrAWSSecurityInvalidSeverity + } + severities = append(severities, sev) + } + + return severities, nil +} + +// filterByStackAndComponent filters findings to those matching the specified stack and/or component. +// Matching is done on the mapped stack/component names (after finding-to-code mapping). +// If stack is empty, all stacks match. If component is empty, all components match. +// Unmapped findings are excluded when filtering by stack or component. +func filterByStackAndComponent(findings []Finding, stack, component string) []Finding { + var filtered []Finding + for i := range findings { + f := &findings[i] + + // Unmapped findings can't match stack/component filters. + if f.Mapping == nil || !f.Mapping.Mapped { + continue + } + + // Stack filter: exact match or prefix match (e.g., "plat-use2-prod" matches "plat-use2-prod-vpc"). + if stack != "" && f.Mapping.Stack != stack && !strings.HasPrefix(f.Mapping.Stack, stack+nameSep) { + continue + } + + // Component filter: exact match. + if component != "" && f.Mapping.Component != component { + continue + } + + filtered = append(filtered, *f) + } + return filtered +} + +// nameSep is the separator for stack name prefix matching. +const nameSep = "-" + +// initReadOnlyTools creates a read-only tool registry and executor for AI security analysis. +// Returns nil, nil if tool setup fails (analysis falls back to single-prompt mode). +func initReadOnlyTools(atmosConfig *schema.AtmosConfiguration) (*tools.Registry, *tools.Executor) { + registry := tools.NewRegistry() + if err := atmosTools.RegisterTools(registry, atmosConfig, nil); err != nil { + log.Debug("Failed to register tools for security analysis", "error", err) + return nil, nil + } + + // Read-only tools don't require permissions. + permConfig := &permission.Config{Mode: permission.ModeAllow} + permChecker := permission.NewChecker(permConfig, nil) + executor := tools.NewExecutor(registry, permChecker, tools.DefaultTimeout) + + log.Debug("Initialized tools for security analysis", "count", registry.Count()) + return registry, executor +} + +// authenticateAndResolveAWS authenticates an Atmos Auth identity and returns the AWSAuthContext. +// Uses the standard auth flow (same as Terraform, S3 backend): authenticate → read AuthContext.AWS. +// Returns nil if identityName is empty (use default AWS credential chain). +func authenticateAndResolveAWS(atmosConfig *schema.AtmosConfiguration, identityName string) (*schema.AWSAuthContext, error) { + if identityName == "" { + return nil, nil + } + + log.Debug("Authenticating Atmos Auth identity", logKeyIdentity, identityName) + + authManager, err := auth.CreateAndAuthenticateManagerWithAtmosConfig( + identityName, + &atmosConfig.Auth, + cfg.IdentityFlagSelectValue, + atmosConfig, + ) + if err != nil { + return nil, fmt.Errorf("failed to authenticate identity %q: %w", identityName, err) + } + + if authManager == nil { + return nil, nil + } + + return extractAWSAuthContext(authManager, identityName) +} + +// logKeyIdentity is the log key for identity name. +const logKeyIdentity = "identity" + +// stackInfoProvider is a narrow interface for reading auth context from an auth manager. +type stackInfoProvider interface { + GetStackInfo() *schema.ConfigAndStacksInfo +} + +// extractAWSAuthContext reads the AWSAuthContext populated by PostAuthenticate → SetAuthContext. +func extractAWSAuthContext(authManager stackInfoProvider, identityName string) (*schema.AWSAuthContext, error) { + stackInfo := authManager.GetStackInfo() + if stackInfo == nil || stackInfo.AuthContext == nil || stackInfo.AuthContext.AWS == nil { + return nil, fmt.Errorf("%w: identity %q authenticated but no AWS credentials were produced", + errUtils.ErrAWSCredentialsNotValid, identityName) + } + + authCtx := stackInfo.AuthContext.AWS + log.Debug("Resolved AWS auth context", + logKeyIdentity, identityName, + "profile", authCtx.Profile, + "region", authCtx.Region, + ) + return authCtx, nil +} diff --git a/cmd/aws/security/security_test.go b/cmd/aws/security/security_test.go new file mode 100644 index 0000000000..e0f9806167 --- /dev/null +++ b/cmd/aws/security/security_test.go @@ -0,0 +1,597 @@ +package security + +import ( + "errors" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + errUtils "github.com/cloudposse/atmos/errors" + pkgsecurity "github.com/cloudposse/atmos/pkg/aws/security" + "github.com/cloudposse/atmos/pkg/schema" +) + +func TestParseSource(t *testing.T) { + tests := []struct { + name string + input string + expected pkgsecurity.Source + wantErr bool + }{ + {"all", "all", pkgsecurity.SourceAll, false}, + {"empty defaults to all", "", pkgsecurity.SourceAll, false}, + {"security-hub", "security-hub", pkgsecurity.SourceSecurityHub, false}, + {"securityhub alias", "securityhub", pkgsecurity.SourceSecurityHub, false}, + {"config", "config", pkgsecurity.SourceConfig, false}, + {"inspector", "inspector", pkgsecurity.SourceInspector, false}, + {"guardduty", "guardduty", pkgsecurity.SourceGuardDuty, false}, + {"macie", "macie", pkgsecurity.SourceMacie, false}, + {"access-analyzer", "access-analyzer", pkgsecurity.SourceAccessAnalyzer, false}, + {"accessanalyzer alias", "accessanalyzer", pkgsecurity.SourceAccessAnalyzer, false}, + {"case insensitive", "SecurityHub", pkgsecurity.SourceSecurityHub, false}, + {"invalid", "unknown", "", true}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result, err := parseSource(tt.input) + if tt.wantErr { + require.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, tt.expected, result) + } + }) + } +} + +func TestParseSource_ErrorType(t *testing.T) { + // Verify that invalid source errors wrap the correct sentinel. + tests := []struct { + name string + input string + }{ + {"unknown service", "unknown"}, + {"cloudwatch", "cloudwatch"}, + {"iam", "iam"}, + {"whitespace only", " "}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + _, err := parseSource(tt.input) + require.Error(t, err) + assert.True(t, errors.Is(err, errUtils.ErrAWSSecurityInvalidSource), + "expected ErrAWSSecurityInvalidSource, got: %v", err) + }) + } +} + +func TestParseSeverities(t *testing.T) { + tests := []struct { + name string + input string + defaults []string + expected []pkgsecurity.Severity + wantErr bool + }{ + { + "empty with no defaults returns critical+high", + "", nil, + []pkgsecurity.Severity{pkgsecurity.SeverityCritical, pkgsecurity.SeverityHigh}, + false, + }, + { + "single severity", + "critical", nil, + []pkgsecurity.Severity{pkgsecurity.SeverityCritical}, + false, + }, + { + "multiple severities", + "critical,high,medium", nil, + []pkgsecurity.Severity{pkgsecurity.SeverityCritical, pkgsecurity.SeverityHigh, pkgsecurity.SeverityMedium}, + false, + }, + { + "case insensitive", + "Critical,HIGH,low", nil, + []pkgsecurity.Severity{pkgsecurity.SeverityCritical, pkgsecurity.SeverityHigh, pkgsecurity.SeverityLow}, + false, + }, + { + "with whitespace", + " critical , high ", nil, + []pkgsecurity.Severity{pkgsecurity.SeverityCritical, pkgsecurity.SeverityHigh}, + false, + }, + { + "informational", + "informational", nil, + []pkgsecurity.Severity{pkgsecurity.SeverityInformational}, + false, + }, + { + "empty with defaults", + "", + []string{"MEDIUM", "LOW"}, + []pkgsecurity.Severity{pkgsecurity.SeverityMedium, pkgsecurity.SeverityLow}, + false, + }, + { + "invalid severity", + "critical,unknown", nil, + nil, true, + }, + { + "invalid default", + "", + []string{"invalid"}, + nil, true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result, err := parseSeverities(tt.input, tt.defaults) + if tt.wantErr { + require.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, tt.expected, result) + } + }) + } +} + +func TestParseSeverities_AllSeverities(t *testing.T) { + // Parse all five severity levels at once. + result, err := parseSeverities("critical,high,medium,low,informational", nil) + require.NoError(t, err) + require.Len(t, result, 5) + assert.Equal(t, pkgsecurity.SeverityCritical, result[0]) + assert.Equal(t, pkgsecurity.SeverityHigh, result[1]) + assert.Equal(t, pkgsecurity.SeverityMedium, result[2]) + assert.Equal(t, pkgsecurity.SeverityLow, result[3]) + assert.Equal(t, pkgsecurity.SeverityInformational, result[4]) +} + +func TestParseSeverities_ErrorType(t *testing.T) { + // Verify that invalid severity errors wrap the correct sentinel. + tests := []struct { + name string + input string + defaults []string + }{ + {"unknown severity in input", "critical,bogus", nil}, + {"empty string severity in list", "critical,,high", nil}, + {"invalid default severity", "", []string{"CRITICAL", "BOGUS"}}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + _, err := parseSeverities(tt.input, tt.defaults) + require.Error(t, err) + assert.True(t, errors.Is(err, errUtils.ErrAWSSecurityInvalidSeverity), + "expected ErrAWSSecurityInvalidSeverity, got: %v", err) + }) + } +} + +func TestParseSeverities_DefaultsOverrideBuiltin(t *testing.T) { + // When input is empty but defaults are provided, defaults take precedence over the builtin critical+high. + result, err := parseSeverities("", []string{"LOW"}) + require.NoError(t, err) + require.Len(t, result, 1) + assert.Equal(t, pkgsecurity.SeverityLow, result[0]) +} + +func TestParseSeverities_InputOverridesDefaults(t *testing.T) { + // When input is provided, defaults are ignored. + result, err := parseSeverities("medium", []string{"CRITICAL", "HIGH"}) + require.NoError(t, err) + require.Len(t, result, 1) + assert.Equal(t, pkgsecurity.SeverityMedium, result[0]) +} + +func TestBuildSecurityReport(t *testing.T) { + t.Run("empty findings", func(t *testing.T) { + report := buildSecurityReport(nil, "prod", "vpc", nil) + + assert.Equal(t, "prod", report.Stack) + assert.Equal(t, "vpc", report.Component) + assert.Equal(t, 0, report.TotalFindings) + assert.Equal(t, 0, report.MappedCount) + assert.Equal(t, 0, report.UnmappedCount) + assert.NotNil(t, report.SeverityCounts) + }) + + t.Run("mixed mapped and unmapped", func(t *testing.T) { + findings := []pkgsecurity.Finding{ + { + ID: "f1", + Severity: pkgsecurity.SeverityCritical, + Mapping: &pkgsecurity.ComponentMapping{Mapped: true}, + }, + { + ID: "f2", + Severity: pkgsecurity.SeverityHigh, + Mapping: &pkgsecurity.ComponentMapping{Mapped: false}, + }, + { + ID: "f3", + Severity: pkgsecurity.SeverityCritical, + Mapping: nil, + }, + } + + report := buildSecurityReport(findings, "staging", "", nil) + + assert.Equal(t, "staging", report.Stack) + assert.Equal(t, 3, report.TotalFindings) + assert.Equal(t, 1, report.MappedCount) + assert.Equal(t, 2, report.UnmappedCount) + assert.Equal(t, 2, report.SeverityCounts[pkgsecurity.SeverityCritical]) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityHigh]) + }) + + t.Run("all mapped", func(t *testing.T) { + findings := []pkgsecurity.Finding{ + { + ID: "f1", + Severity: pkgsecurity.SeverityLow, + Mapping: &pkgsecurity.ComponentMapping{Mapped: true}, + }, + { + ID: "f2", + Severity: pkgsecurity.SeverityLow, + Mapping: &pkgsecurity.ComponentMapping{Mapped: true}, + }, + } + + report := buildSecurityReport(findings, "", "", nil) + + assert.Equal(t, 2, report.TotalFindings) + assert.Equal(t, 2, report.MappedCount) + assert.Equal(t, 0, report.UnmappedCount) + }) + + t.Run("generated at is set", func(t *testing.T) { + report := buildSecurityReport(nil, "", "", nil) + assert.False(t, report.GeneratedAt.IsZero()) + }) + + t.Run("all severities represented", func(t *testing.T) { + findings := []pkgsecurity.Finding{ + {ID: "f1", Severity: pkgsecurity.SeverityCritical, Mapping: &pkgsecurity.ComponentMapping{Mapped: true}}, + {ID: "f2", Severity: pkgsecurity.SeverityHigh, Mapping: &pkgsecurity.ComponentMapping{Mapped: true}}, + {ID: "f3", Severity: pkgsecurity.SeverityMedium, Mapping: &pkgsecurity.ComponentMapping{Mapped: true}}, + {ID: "f4", Severity: pkgsecurity.SeverityLow, Mapping: &pkgsecurity.ComponentMapping{Mapped: false}}, + {ID: "f5", Severity: pkgsecurity.SeverityInformational, Mapping: nil}, + } + + report := buildSecurityReport(findings, "dev", "rds", nil) + + assert.Equal(t, "dev", report.Stack) + assert.Equal(t, "rds", report.Component) + assert.Equal(t, 5, report.TotalFindings) + assert.Equal(t, 3, report.MappedCount) + assert.Equal(t, 2, report.UnmappedCount) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityCritical]) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityHigh]) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityMedium]) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityLow]) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityInformational]) + }) + + t.Run("all unmapped with nil mappings", func(t *testing.T) { + findings := []pkgsecurity.Finding{ + {ID: "f1", Severity: pkgsecurity.SeverityHigh, Mapping: nil}, + {ID: "f2", Severity: pkgsecurity.SeverityHigh, Mapping: nil}, + {ID: "f3", Severity: pkgsecurity.SeverityMedium, Mapping: nil}, + } + + report := buildSecurityReport(findings, "prod", "", nil) + + assert.Equal(t, 3, report.TotalFindings) + assert.Equal(t, 0, report.MappedCount) + assert.Equal(t, 3, report.UnmappedCount) + assert.Equal(t, 2, report.SeverityCounts[pkgsecurity.SeverityHigh]) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityMedium]) + }) + + t.Run("single finding mapped", func(t *testing.T) { + findings := []pkgsecurity.Finding{ + { + ID: "f1", + Severity: pkgsecurity.SeverityCritical, + Title: "Critical vulnerability", + Source: pkgsecurity.SourceSecurityHub, + Mapping: &pkgsecurity.ComponentMapping{Mapped: true, Stack: "prod", Component: "vpc"}, + }, + } + + report := buildSecurityReport(findings, "prod", "vpc", nil) + + assert.Equal(t, 1, report.TotalFindings) + assert.Equal(t, 1, report.MappedCount) + assert.Equal(t, 0, report.UnmappedCount) + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityCritical]) + // Verify findings are preserved in the report. + require.Len(t, report.Findings, 1) + assert.Equal(t, "f1", report.Findings[0].ID) + assert.Equal(t, "Critical vulnerability", report.Findings[0].Title) + assert.Equal(t, pkgsecurity.SourceSecurityHub, report.Findings[0].Source) + }) + + t.Run("empty findings slice vs nil", func(t *testing.T) { + // Empty slice should behave the same as nil. + report := buildSecurityReport([]pkgsecurity.Finding{}, "prod", "vpc", nil) + + assert.Equal(t, 0, report.TotalFindings) + assert.Equal(t, 0, report.MappedCount) + assert.Equal(t, 0, report.UnmappedCount) + assert.NotNil(t, report.SeverityCounts) + }) + + t.Run("unmapped finding with Mapped false", func(t *testing.T) { + // A finding with a non-nil mapping but Mapped=false should count as unmapped. + findings := []pkgsecurity.Finding{ + { + ID: "f1", + Severity: pkgsecurity.SeverityLow, + Mapping: &pkgsecurity.ComponentMapping{Mapped: false, Confidence: "none"}, + }, + } + + report := buildSecurityReport(findings, "", "", nil) + + assert.Equal(t, 1, report.TotalFindings) + assert.Equal(t, 0, report.MappedCount) + assert.Equal(t, 1, report.UnmappedCount) + }) + + t.Run("severity counts do not include missing severities", func(t *testing.T) { + // Only the severities present in findings should appear in the counts map. + findings := []pkgsecurity.Finding{ + {ID: "f1", Severity: pkgsecurity.SeverityCritical, Mapping: nil}, + } + + report := buildSecurityReport(findings, "", "", nil) + + assert.Equal(t, 1, report.SeverityCounts[pkgsecurity.SeverityCritical]) + assert.Equal(t, 0, report.SeverityCounts[pkgsecurity.SeverityHigh]) + assert.Equal(t, 0, report.SeverityCounts[pkgsecurity.SeverityMedium]) + }) +} + +func TestSecurityAnalyzeFileFlag(t *testing.T) { + // Verify the --file flag is registered on the analyze subcommand. + flag := securityAnalyzeCmd.Flags().Lookup("file") + require.NotNil(t, flag, "securityAnalyzeCmd should have --file flag") + assert.Equal(t, "", flag.DefValue, "--file default should be empty") + assert.Equal(t, "string", flag.Value.Type(), "--file should be a string flag") +} + +func TestSecuritySubcommandRegistered(t *testing.T) { + cmd := SecurityCmd + // Verify the analyze subcommand exists under security. + var foundAnalyze bool + for _, sub := range cmd.Commands() { + if sub.Use == "analyze" { + foundAnalyze = true + break + } + } + assert.True(t, foundAnalyze, "security command should have analyze subcommand") +} + +func TestSecurityAnalyzeAllFlagsRegistered(t *testing.T) { + // Verify all expected flags are registered on securityAnalyzeCmd. + tests := []struct { + name string + flagName string + defValue string + flagType string + }{ + {"stack flag", "stack", "", "string"}, + {"component flag", "component", "", "string"}, + {"severity flag", "severity", "critical,high", "string"}, + {"source flag", "source", "all", "string"}, + {"framework flag", "framework", "", "string"}, + {"format flag", "format", "markdown", "string"}, + {"file flag", "file", "", "string"}, + {"max-findings flag", "max-findings", "500", "int"}, + {"region flag", "region", "", "string"}, + {"identity flag", "identity", "", "string"}, + {"no-group flag", "no-group", "false", "bool"}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + f := securityAnalyzeCmd.Flags().Lookup(tt.flagName) + require.NotNil(t, f, "flag %q should be registered", tt.flagName) + assert.Equal(t, tt.defValue, f.DefValue, "flag %q default", tt.flagName) + assert.Equal(t, tt.flagType, f.Value.Type(), "flag %q type", tt.flagName) + }) + } +} + +func TestSecurityAnalyzeFlagShorthand(t *testing.T) { + // Verify shorthand aliases for key flags. + tests := []struct { + name string + flagName string + shorthand string + }{ + {"stack shorthand", "stack", "s"}, + {"component shorthand", "component", "c"}, + {"format shorthand", "format", "f"}, + {"identity shorthand", "identity", "i"}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + f := securityAnalyzeCmd.Flags().Lookup(tt.flagName) + require.NotNil(t, f, "flag %q should be registered", tt.flagName) + assert.Equal(t, tt.shorthand, f.Shorthand, "flag %q shorthand", tt.flagName) + }) + } +} + +func TestSecurityCmdUsesNoArgs(t *testing.T) { + // Verify commands reject positional arguments. + err := SecurityCmd.Args(SecurityCmd, []string{"unexpected-arg"}) + assert.Error(t, err, "SecurityCmd should reject positional args") + err = securityAnalyzeCmd.Args(securityAnalyzeCmd, []string{"unexpected-arg"}) + assert.Error(t, err, "securityAnalyzeCmd should reject positional args") +} + +func TestSeverityMapCompleteness(t *testing.T) { + // Verify that the severityMap covers all expected severity levels. + expectedSeverities := []string{"CRITICAL", "HIGH", "MEDIUM", "LOW", "INFORMATIONAL"} + for _, sev := range expectedSeverities { + _, ok := severityMap[sev] + assert.True(t, ok, "severityMap should contain %q", sev) + } + assert.Len(t, severityMap, len(expectedSeverities), "severityMap should have exactly %d entries", len(expectedSeverities)) +} + +func TestDefaultMaxFindings(t *testing.T) { + // Verify the default constant matches expectations. + assert.Equal(t, 500, defaultMaxFindings, "defaultMaxFindings should be 500") +} + +func TestBuildSecurityReport_TagMappingPreserved(t *testing.T) { + // Verify that the tag mapping is included in the report when provided. + tagMapping := &pkgsecurity.AWSSecurityTagMapping{ + StackTag: "custom:stack", + ComponentTag: "custom:component", + } + report := buildSecurityReport(nil, "prod", "vpc", tagMapping) + require.NotNil(t, report.TagMapping) + assert.Equal(t, "custom:stack", report.TagMapping.StackTag) + assert.Equal(t, "custom:component", report.TagMapping.ComponentTag) +} + +func TestBuildSecurityReport_TagMappingNilWhenNotProvided(t *testing.T) { + // Verify that tag mapping is nil when not provided. + report := buildSecurityReport(nil, "prod", "vpc", nil) + assert.Nil(t, report.TagMapping) +} + +func TestFilterByStackAndComponent(t *testing.T) { + findings := []pkgsecurity.Finding{ + {ID: "f1", Mapping: &pkgsecurity.ComponentMapping{Stack: "plat-use2-prod", Component: "vpc", Mapped: true}}, + {ID: "f2", Mapping: &pkgsecurity.ComponentMapping{Stack: "plat-use2-prod", Component: "s3-bucket", Mapped: true}}, + {ID: "f3", Mapping: &pkgsecurity.ComponentMapping{Stack: "plat-use2-dev", Component: "vpc", Mapped: true}}, + {ID: "f4", Mapping: &pkgsecurity.ComponentMapping{Stack: "core-use2-security", Component: "account", Mapped: true}}, + {ID: "f5", Mapping: nil}, // unmapped. + {ID: "f6", Mapping: &pkgsecurity.ComponentMapping{Stack: "", Component: "", Mapped: false}}, // unmapped. + } + + t.Run("filter by stack only", func(t *testing.T) { + result := filterByStackAndComponent(findings, "plat-use2-prod", "") + require.Len(t, result, 2) + assert.Equal(t, "f1", result[0].ID) + assert.Equal(t, "f2", result[1].ID) + }) + + t.Run("filter by component only", func(t *testing.T) { + result := filterByStackAndComponent(findings, "", "vpc") + require.Len(t, result, 2) + assert.Equal(t, "f1", result[0].ID) + assert.Equal(t, "f3", result[1].ID) + }) + + t.Run("filter by both stack and component", func(t *testing.T) { + result := filterByStackAndComponent(findings, "plat-use2-prod", "vpc") + require.Len(t, result, 1) + assert.Equal(t, "f1", result[0].ID) + }) + + t.Run("no match returns empty", func(t *testing.T) { + result := filterByStackAndComponent(findings, "nonexistent", "") + assert.Empty(t, result) + }) + + t.Run("unmapped findings excluded", func(t *testing.T) { + result := filterByStackAndComponent(findings, "plat-use2-prod", "") + for _, f := range result { + assert.True(t, f.Mapping.Mapped) + } + }) + + t.Run("empty filters returns all mapped", func(t *testing.T) { + // When both filters empty, all mapped findings pass through. + result := filterByStackAndComponent(findings, "", "") + assert.Len(t, result, 4) // 4 mapped, 2 unmapped excluded. + }) +} + +func TestAuthenticateAndResolveAWS_EmptyIdentity(t *testing.T) { + // Empty identity should return nil without error. + authCtx, err := authenticateAndResolveAWS(nil, "") + require.NoError(t, err) + assert.Nil(t, authCtx) +} + +func TestExtractAWSAuthContext_NilStackInfo(t *testing.T) { + // Mock auth manager with nil stack info. + mockMgr := &mockStackInfoProvider{stackInfo: nil} + _, err := extractAWSAuthContext(mockMgr, "test-identity") + require.Error(t, err) + assert.Contains(t, err.Error(), "no AWS credentials were produced") +} + +func TestExtractAWSAuthContext_NilAuthContext(t *testing.T) { + // Stack info exists but AuthContext is nil. + mockMgr := &mockStackInfoProvider{ + stackInfo: &schema.ConfigAndStacksInfo{AuthContext: nil}, + } + _, err := extractAWSAuthContext(mockMgr, "test-identity") + require.Error(t, err) + assert.Contains(t, err.Error(), "no AWS credentials were produced") +} + +func TestExtractAWSAuthContext_NilAWS(t *testing.T) { + // AuthContext exists but AWS is nil. + mockMgr := &mockStackInfoProvider{ + stackInfo: &schema.ConfigAndStacksInfo{ + AuthContext: &schema.AuthContext{AWS: nil}, + }, + } + _, err := extractAWSAuthContext(mockMgr, "test-identity") + require.Error(t, err) + assert.Contains(t, err.Error(), "no AWS credentials were produced") +} + +func TestExtractAWSAuthContext_Success(t *testing.T) { + // Full auth context present. + mockMgr := &mockStackInfoProvider{ + stackInfo: &schema.ConfigAndStacksInfo{ + AuthContext: &schema.AuthContext{ + AWS: &schema.AWSAuthContext{ + Profile: "test-profile", + CredentialsFile: "/tmp/creds", + ConfigFile: "/tmp/config", + Region: "us-west-2", + }, + }, + }, + } + authCtx, err := extractAWSAuthContext(mockMgr, "test-identity") + require.NoError(t, err) + assert.Equal(t, "test-profile", authCtx.Profile) + assert.Equal(t, "us-west-2", authCtx.Region) +} + +// mockStackInfoProvider implements stackInfoProvider for testing extractAWSAuthContext. +type mockStackInfoProvider struct { + stackInfo *schema.ConfigAndStacksInfo +} + +func (m *mockStackInfoProvider) GetStackInfo() *schema.ConfigAndStacksInfo { + return m.stackInfo +} diff --git a/demo/screengrabs/demo-stacks.txt b/demo/screengrabs/demo-stacks.txt index 5a7e30e3e8..8090c27a2e 100644 --- a/demo/screengrabs/demo-stacks.txt +++ b/demo/screengrabs/demo-stacks.txt @@ -46,8 +46,12 @@ atmos auth user configure --help atmos auth validate --help atmos auth whoami --help atmos aws --help +atmos aws compliance --help +atmos aws compliance report --help atmos aws eks --help atmos aws eks update-kubeconfig --help +atmos aws security --help +atmos aws security analyze --help atmos completion --help atmos completion bash atmos completion fish diff --git a/docs/prd/atmos-aws-security-compliance.md b/docs/prd/atmos-aws-security-compliance.md new file mode 100644 index 0000000000..ae5b08d9bb --- /dev/null +++ b/docs/prd/atmos-aws-security-compliance.md @@ -0,0 +1,486 @@ +# Atmos AWS Security & Compliance — Product Requirements Document + +**Status:** Shipped (experimental) +**Version:** 1.0 +**Last Updated:** 2026-04-05 + +--- + +## Problem + +Reviewing AWS security findings requires navigating multiple AWS console pages, cross-referencing +resources with Terraform code, and manually figuring out which configuration caused the issue. This is +slow, error-prone, and requires deep AWS + Terraform expertise. + +## Solution + +Two CLI commands that fetch findings from AWS Security Hub, map them to Atmos components and stacks, +and generate structured remediation reports — all from a single command. + +```shell +# Security findings mapped to components +atmos aws security analyze --stack prod-us-east-1 + +# AI-powered remediation (reads source code, generates specific fixes) +atmos aws security analyze --stack prod-us-east-1 --ai + +# Compliance posture scoring +atmos aws compliance report --framework cis-aws +``` + +**Key differentiator:** Atmos owns the component-to-stack relationship, so it traces a finding on an +AWS resource back to the exact Terraform code and stack configuration that created it. + +**AI is optional.** Commands work purely with AWS APIs. The `--ai` flag adds root cause analysis, +remediation guidance, and deploy commands using any Atmos AI provider (Anthropic, OpenAI, Gemini, +Azure OpenAI, Bedrock, Ollama, Grok). + +**Cloud-specific namespace.** Commands live under `atmos aws` to enable future `atmos azure security` +and `atmos gcp security`. + +--- + +## Architecture + +```text +┌─────────────────────────────────────────────────────────────────────┐ +│ atmos aws security analyze │ +├─────────────────────────────────────────────────────────────────────┤ +│ Atmos Auth → AWS Security Hub → Component Mapper → AI → Report │ +│ │ +│ Finding → Resource ARN → Resource Tags → Atmos Stack → │ +│ Atmos Component → Terraform Source → Root Cause → Remediation │ +└─────────────────────────────────────────────────────────────────────┘ +``` + +### Data Flow + +1. **Authenticate** — Atmos Auth obtains AWS credentials (SSO, assume-role) via `identity` config +2. **Fetch Findings** — Query Security Hub for active findings (severity, source, framework filters) +3. **Map to Components** — Trace each finding's resource back to an Atmos component/stack via tags or heuristics +4. **AI Analysis** (opt-in) — Send finding + component source + stack config to AI for root cause analysis +5. **Generate Report** — Render as Markdown (terminal), JSON (CI/CD), YAML, or CSV + +### Data Schema + +```text +Finding → ComponentMapping → Remediation (AI-populated) → Report → ReportRenderer +``` + +- **Finding:** ID, title, severity, source, resource ARN, resource type, tags, account, region +- **ComponentMapping:** stack, component, component_path, confidence (exact/high/low/none), method +- **Remediation:** root_cause, steps[], code_changes[], stack_changes, deploy_command, risk_level, references[] +- **Report:** generated_at, total_findings, severity_counts, mapped/unmapped counts, findings[] + +Without `--ai`, Remediation is nil. With `--ai`, the embedded skill prompt ensures all providers +fill the same fields in the same format. + +--- + +## Finding-to-Code Mapping + +The system uses 7 mapping strategies in priority order, stopping at the first confident match: + +| Priority | Method | Confidence | How It Works | +|----------|---------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------| +| 1 | `finding-tag` | exact | Stack + component tags (configurable, default `atmos:stack` + `atmos:component`) embedded in the Security Hub finding | +| 2 | `tag-api` | exact | Same tags from the Resource Groups Tagging API (same-account only) | +| 3 | `context-tags` | high | Cloud Posse context tags (`Namespace`, `Tenant`, `Environment`, `Stage`, `Name`) reconstruct naming prefix → extract component name | +| 4 | `account-map` | low | Account-level findings → account name from config `account_map` (if configured, no API call) or AWS Organizations `DescribeAccount` API (fallback) | +| 5 | `ecr-repo` | low | ECR findings → component from repository name, stack from account name | +| 6 | `naming-convention` | low | Last hyphen segment of resource name (unreliable for multi-word components) | +| 7 | `resource-type` | low | AWS resource type → component name heuristic | + +**Tag configuration** — the tag keys are configurable in `atmos.yaml`: + +```yaml +aws: + security: + tag_mapping: + stack_tag: "atmos:stack" + component_tag: "atmos:component" +``` + +**Post-mapping filtering** — `--stack` and `--component` filter AFTER mapping (Security Hub has +no concept of Atmos stacks). Stack matching supports prefix (`plat-use2-prod` matches +`plat-use2-prod-vpc`). Unmapped findings are excluded when filters are active. + +--- + +## AI Analysis + +When `--ai` is passed, each mapped finding is sent to the configured AI provider for analysis. + +**API providers (multi-turn):** Uses `SendMessageWithSystemPromptAndTools` with the Atmos tool +registry. The AI can call `atmos_describe_component`, `read_component_file`, `read_stack_file` +to gather context before generating remediation. Up to 10 tool iterations. + +**CLI providers (single-prompt):** Falls back to enriched single-prompt mode with pre-fetched +component source (`main.tf`) and stack config. + +**Deduplication:** Findings with the same title + component + stack are analyzed once; remediation +is shared across duplicates. + +**Retry:** Transient errors (529/429/500/502/503) retry with exponential backoff (3 attempts, +2s initial delay, 15s max, 30% jitter) via `pkg/retry`. + +**Timeout:** 300s default when `--ai` is used (configurable via `ai.timeout_seconds`). + +**Skill prompt:** Embedded `go:embed skill_prompt.md` instructs AI to return structured output +matching the `Remediation` schema fields (root cause, steps, code changes, stack changes, +deploy command, risk level, references). + +--- + +## CLI Commands + +### `atmos aws security analyze` + +```shell +atmos aws security analyze # All findings +atmos aws security analyze --stack prod-us-east-1 # Filter by stack +atmos aws security analyze --stack prod-us-east-1 --component vpc # Filter by component +atmos aws security analyze --severity critical,high # Filter by severity +atmos aws security analyze --source guardduty # Filter by source +atmos aws security analyze --ai # AI-powered remediation +atmos aws security analyze --format json --file findings.json # Save as JSON +atmos aws security analyze --identity security-admin --region us-west-2 # Override auth +``` + +| Flag | Type | Default | Description | +|------------------|--------|-----------------|---------------------------------------------------------| +| `--stack` | string | (all) | Target stack | +| `--component` | string | (all) | Target component | +| `--severity` | string | `critical,high` | Severity filter | +| `--source` | string | `all` | Source: security-hub, config, inspector, guardduty, all | +| `--format` | string | `markdown` | Output: markdown, json, yaml, csv | +| `--file` | string | (stdout) | Write to file | +| `--max-findings` | int | `500` | Maximum findings | +| `--ai` | bool | `false` | Enable AI analysis | +| `--no-group` | bool | `false` | Disable duplicate grouping | +| `--region` | string | (config) | AWS region override | +| `--identity` | string | (config) | Atmos Auth identity override | + +### `atmos aws compliance report` + +```shell +atmos aws compliance report # Default framework (cis-aws) +atmos aws compliance report --framework cis-aws # CIS benchmark +atmos aws compliance report --framework pci-dss --format json # PCI DSS as JSON +atmos aws compliance report --controls CIS.1.14,CIS.2.1 # Specific controls +``` + +| Flag | Type | Default | Description | +|---------------|--------|------------|------------------------------------------------| +| `--stack` | string | (all) | Target stack | +| `--framework` | string | (all) | Framework: cis-aws, pci-dss, soc2, hipaa, nist | +| `--format` | string | `markdown` | Output: markdown, json, yaml, csv | +| `--file` | string | (stdout) | Write to file | +| `--controls` | string | (all) | Specific control IDs to check | +| `--identity` | string | (config) | Atmos Auth identity override | + +--- + +## Configuration + +```yaml +# atmos.yaml +aws: + security: + enabled: true + identity: "security-readonly" # Atmos Auth identity → Security Hub account + region: "us-east-2" # Security Hub aggregation region + default_severity: [CRITICAL, HIGH] + max_findings: 500 + tag_mapping: + stack_tag: "atmos:stack" # default; customize to match your tagging standard + component_tag: "atmos:component" + # Account names resolved automatically via AWS Organizations DescribeAccount API. + # Optional override if Organizations access is unavailable: + # account_map: + # "123456789012": "core-security" + frameworks: [cis-aws, pci-dss] + +# AI (optional, for --ai flag) +ai: + enabled: true + default_provider: "anthropic" + providers: + anthropic: + model: "claude-sonnet-4-6" + api_key: !env "ANTHROPIC_API_KEY" + tools: + enabled: true +``` + +### Authentication + +Each command directly calls `auth.CreateAndAuthenticateManagerWithAtmosConfig()` — the standard +Atmos Auth entry point — then reads `authManager.GetStackInfo().AuthContext.AWS` to get the +`AWSAuthContext` populated by `PostAuthenticate` → `SetAuthContext`. Credential validation uses +`identity.ValidateAWSCredentials()` (STS GetCallerIdentity) before the pipeline starts. + +The `identity` config field targets the delegated admin account where Security Hub aggregates +findings from all member accounts. The `region` field targets the aggregation region. + +Account names for account-level findings are resolved dynamically via the AWS Organizations +`DescribeAccount` API. The optional `account_map` config provides a static override — when +configured, matched account IDs are resolved from the map without an API call. + +#### Atmos Auth Patterns Across Commands + +Each command type has different credential delivery needs: + +| Command | Auth Pattern | How Credentials Reach AWS SDK | +|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------| +| **Terraform/Helmfile/Packer** | `createAndAuthenticateAuthManager()` merges component-specific auth → `PostAuthenticate` populates `AuthContext.AWS` → `PrepareShellEnvironment()` | Subprocess inherits `AWS_*` env vars | +| **S3 backend** | Already has `AuthContext.AWS` from the Terraform flow | `LoadConfigWithAuth(authContext.AWS)` | +| **EKS token** | Custom `authenticateForToken()` → `Authenticate()` → `ICredentials` → `exportAWSCredsToEnv()` | `os.Setenv(AWS_ACCESS_KEY_ID, ...)` | +| **ECR login** | `ExecuteIntegration()` or `ExecuteIdentityIntegrations()` | Integrations handle Docker login directly | +| **Security/Compliance** | `CreateAndAuthenticateManagerWithAtmosConfig()` → `GetStackInfo().AuthContext.AWS` | `LoadConfigWithAuth(authCtx)` | + +The security commands follow the S3 backend pattern (in-process AWS SDK via `LoadConfigWithAuth` +with `AWSAuthContext`), using the standard `CreateAndAuthenticateManagerWithAtmosConfig()` entry +point. + +### Required AWS Permissions + +```json +{ + "Statement": [ + { + "Sid": "SecurityFindings", + "Effect": "Allow", + "Action": [ + "securityhub:GetFindings", + "securityhub:GetEnabledStandards", + "securityhub:ListSecurityControlDefinitions", + "sts:GetCallerIdentity" + ], + "Resource": "*" + }, + { + "Sid": "ResourceTagLookup", + "Effect": "Allow", + "Action": ["tag:GetResources"], + "Resource": "*" + }, + { + "Sid": "AccountNameLookup", + "Effect": "Allow", + "Action": ["organizations:DescribeAccount"], + "Resource": "*" + } + ] +} +``` + +--- + +## Implementation + +### File Structure + +| File | Purpose | +|---------------------------------------------------|-----------------------------------------------------------------------------| +| `cmd/aws/security/security.go` | Security analyze command, flags, filtering, auth, AI integration | +| `cmd/aws/compliance/compliance.go` | Compliance report command, control filtering, auth | +| `pkg/aws/identity/identity.go` | AWS SDK config loading, `GetCallerIdentity`, `ValidateAWSCredentials` | +| `pkg/aws/security/types.go` | Finding, ComponentMapping, Remediation, Report, `ParseOutputFormat` | +| `pkg/aws/security/finding_fetcher.go` | Security Hub API queries, pagination, compliance scoring | +| `pkg/aws/security/component_mapper.go` | 7-strategy mapping pipeline (tag → context → Organizations API → heuristic) | +| `pkg/aws/security/analyzer.go` | AI analysis: dedup, retry, multi-turn tools, skill prompt | +| `pkg/aws/security/report_renderer.go` | Markdown, JSON, YAML, CSV rendering | +| `pkg/aws/security/aws_clients.go` | AWS SDK interfaces (SecurityHubAPI, TaggingAPI, OrganizationsAPI) | +| `pkg/aws/security/cache.go` | Findings and compliance cache | +| `pkg/aws/security/skill_prompt.md` | Embedded AI system prompt for structured remediation | +| `pkg/schema/aws_security.go` | Schema: AWSSecuritySettings, TagMapping, AccountMap | +| `agent-skills/skills/atmos-aws-security/SKILL.md` | Agent skill for MCP/AI tools | + +### AI Tools + +Registered in `pkg/ai/tools/atmos/` for both CLI commands and MCP clients: + +| Tool | Purpose | +|---------------------------|-------------------------------------| +| `atmos_list_findings` | List security findings with filters | +| `atmos_describe_finding` | Full finding details with mapping | +| `atmos_analyze_finding` | AI analysis for a specific finding | +| `atmos_compliance_report` | Compliance posture report | + +### Error Handling + +Static sentinel errors in `errors/errors.go`: + +| Error | When | +|---------------------------------|---------------------------------| +| `ErrAISecurityNotEnabled` | `aws.security.enabled` is false | +| `ErrAISecurityFetchFailed` | AWS API errors | +| `ErrAISecurityMappingFailed` | Component mapping fails | +| `ErrAISecurityAnalysisFailed` | AI provider errors | +| `ErrAWSCredentialsNotValid` | STS GetCallerIdentity fails | +| `ErrAISecurityInvalidSeverity` | Unknown severity value | +| `ErrAISecurityInvalidSource` | Unknown source value | +| `ErrAISecurityInvalidFramework` | Unknown framework value | +| `ErrAISecurityInvalidFormat` | Unknown output format | + +--- + +## Testing + +### Coverage + +| Test File | Tests | Coverage | +|---------------------------------------------|-------|----------| +| `pkg/aws/security/finding_fetcher_test.go` | 30+ | ~92% | +| `pkg/aws/security/component_mapper_test.go` | 27+ | ~90% | +| `pkg/aws/security/report_renderer_test.go` | 30+ | ~95% | +| `pkg/aws/security/analyzer_test.go` | 25+ | ~90% | +| `pkg/aws/security/cache_test.go` | 15+ | ~90% | +| `pkg/aws/security/types_test.go` | 12 | 100% | +| `cmd/aws/security/security_test.go` | 50+ | 100%* | +| `cmd/aws/compliance/compliance_test.go` | 25+ | 100%* | + +\* All testable functions. RunE handlers require real AWS. + +**Overall:** `pkg/aws/security/` at 91.8%. + +### Approach + +- Unit tests with mocks for all AWS API interactions (no real AWS calls in CI) +- Table-driven tests for input validation +- Manual mock implementations for AI client (`mockAIClient`, `countingMockClient`) +- Interface-driven design: `SecurityHubAPI`, `TaggingAPI`, `FindingFetcher`, `ComponentMapper`, `FindingAnalyzer`, `ReportRenderer` + +--- + +## Production Testing Results + +Tested against a multi-account AWS organization (11 accounts, Security Hub delegated admin). + +### Mapping Accuracy (500 findings) + +| Method | Count | Confidence | +|------------------|-----------------|------------| +| `ecr-repo` | 395 | low | +| `context-tags` | 41 | high | +| `finding-tag` | 28 | exact | +| `account-map` | 21 | low | +| `resource-type` | 1 | low | +| **Total mapped** | **486 (97.2%)** | | +| Unmapped | 14 (2.8%) | | + +### Stack/Component Filtering + +- `--stack plat-use2-prod` → 13 findings (all HIGH, 100% mapped, 10 components) +- `--stack plat-use2-dev` → 17 findings (all mapped, 11 components) +- `--stack plat-use2-dev --component rds/example` → 4 findings (exact match) +- No filter → 500 findings across 18 stacks + +### Compliance Report + +- `atmos aws compliance report --framework cis-aws` → 35/42 controls passing (83%) +- 7 failing controls: Config.1 (CRITICAL), EC2.14, EC2.13 (HIGH), S3.1, EC2.6 (MEDIUM), IAM.17, CloudTrail.7 (LOW) +- Controls deduplicated by `SecurityControlID` (e.g., `EC2.18`) +- Total controls counted via `ListSecurityControlDefinitions` API + +### AI Analysis (`--ai`) + +- `--stack plat-use2-dev --component rds/example --ai` → 4 findings on same security group +- AI read `catalog/rds/defaults.yaml` via tools, identified `allowed_cidr_blocks` root cause +- Generated: 6 remediation steps, stack YAML changes, Terraform validation guards, deploy command +- Detected anomaly: port 22 on RDS SG flagged as likely console drift +- Risk assessment: Medium (port 5432), Low (port 22/SSH) +- Global `--ai` summary synthesized all 4 findings into prioritized action plan + +--- + +## Known Limitations + +1. **Cross-account tag lookup** — The Tagging API only works in the same account. Finding-embedded + tags (`Resources[].Tags`) are the primary source. + +2. **Naming convention is the weakest mapper** — Only used as last resort (confidence: low). + +3. **AI timeout on large context** — Multi-turn tool analysis with retries can take >120s + per finding. Default increased to 300s. Configurable via `ai.timeout_seconds`. + +4. **Compliance framework filter** — Uses PREFIX matching with type prefix (`ruleset/` or + `standards/`). Some frameworks may have variant prefixes not yet mapped. + +--- + +## Remaining Work + +- **Component name validation** — Cross-reference heuristic names against `atmos list components` +- **Terraform state search** — Scan state files for resource ARN mapping (reuse `!terraform.state`) +- **AI-assisted inference** — Send unmapped findings to AI for component inference +- **Integration tests** — End-to-end tests with real AWS API calls (test account needed) + +--- + +## Design Decisions + +### Why Direct AWS SDK (not MCP Server) + +The `awslabs.well-architected-security-mcp-server` fetches the same raw findings via the same APIs. +We chose direct SDK calls because: + +- Full control over filtering (severity, source, framework, max findings) +- No external dependencies (no `uvx`, no MCP subprocess) +- Finding-to-code mapping requires Atmos-internal data (stacks, components) that no MCP server has +- MCP servers complement this for ad-hoc conversational queries (`atmos ai ask "show me critical findings"`) + +### Why Post-Mapping Filtering + +Security Hub has no concept of Atmos stacks. Stack/component filtering happens AFTER findings are +mapped to components via tags/heuristics. This is the only reliable approach because the mapping +method (tags vs naming convention) determines which stack a finding belongs to. + +--- + +## Security Considerations + +- **AI is opt-in** — No data sent to AI providers without `--ai` flag +- **Read-only** — Commands never modify infrastructure +- **Data residency** — Choose provider matching requirements (Bedrock keeps data in-account, Ollama runs locally) +- **Atmos Auth** — All AWS access via Atmos Auth; no hardcoded keys +- **Credential validation** — Early STS GetCallerIdentity check before pipeline starts + +--- + +## AWS Security Services Reference + +Security Hub aggregates findings from: AWS Config, GuardDuty, Inspector, Macie, IAM Access Analyzer. +All follow a multi-account delegated admin pattern with the security account as admin. + +| Service | Component | Finding Types | +|-----------------|-----------------------|-----------------------------------------------| +| Security Hub | `aws-security-hub` | Aggregated ASFF findings, compliance controls | +| AWS Config | `aws-config` | Resource compliance evaluations | +| GuardDuty | `aws-guardduty` | Threat detection (ML-based) | +| Inspector v2 | `aws-inspector2` | CVE vulnerabilities, network reachability | +| Access Analyzer | `aws-access-analyzer` | External/unused access | +| Macie | `aws-macie` | S3 sensitive data, policy findings | + +### Prerequisite Components + +| Component | Required | +|------------------------------------|-------------| +| `cloudtrail` + `cloudtrail-bucket` | Yes | +| `aws-config` + `aws-config-bucket` | Yes | +| `aws-security-hub` | Yes | +| `aws-guardduty` | Yes | +| `aws-inspector2` | Recommended | +| `aws-access-analyzer` | Recommended | +| `aws-macie` | Optional | + +--- + +## Documentation + +- CLI: `website/docs/cli/commands/aws/security/analyze.mdx`, `website/docs/cli/commands/aws/compliance/report.mdx` +- Config: `website/docs/cli/configuration/aws/security.mdx` +- Example: `examples/aws-security-compliance/` +- Blog: `website/blog/2026-04-03-aws-security-compliance.mdx` +- PRD: `docs/prd/atmos-aws-security-compliance.md` (this file) diff --git a/errors/errors.go b/errors/errors.go index 6c30f5edf4..78603a3656 100644 --- a/errors/errors.go +++ b/errors/errors.go @@ -1004,6 +1004,18 @@ var ( ErrAIComponentPathNotFound = errors.New("component path not found") ErrAIComponentPathNotDirectory = errors.New("component path is not a directory") + // AWS security and compliance errors. + ErrAWSSecurityNotEnabled = errors.New("security features are not enabled: add 'aws.security.enabled: true' to atmos.yaml") + ErrAWSSecurityNoFindings = errors.New("no security findings found matching the specified filters") + ErrAWSSecurityFetchFailed = errors.New("failed to fetch security findings from AWS") + ErrAWSSecurityMappingFailed = errors.New("failed to map security finding to Atmos component") + ErrAWSSecurityInvalidSeverity = errors.New("invalid severity filter: valid values are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL") + ErrAWSSecurityInvalidSource = errors.New("invalid finding source: valid values are security-hub, config, inspector, guardduty, macie, access-analyzer, all") + ErrAWSSecurityInvalidFramework = errors.New("invalid compliance framework: valid values are cis-aws, pci-dss, soc2, hipaa, nist") + ErrAWSSecurityInvalidFormat = errors.New("invalid output format: valid values are markdown, json, yaml, csv") + ErrAWSSecurityAnalysisFailed = errors.New("AI analysis of security findings failed") + ErrAWSCredentialsNotValid = errors.New("AWS credentials are not configured or have expired") + // CLI provider errors. ErrCLIProviderBinaryNotFound = errors.New("CLI provider binary not found on PATH") ErrCLIProviderExecFailed = errors.New("CLI provider execution failed") diff --git a/examples/aws-security-compliance/README.md b/examples/aws-security-compliance/README.md new file mode 100644 index 0000000000..f55e68e5c7 --- /dev/null +++ b/examples/aws-security-compliance/README.md @@ -0,0 +1,136 @@ +# Example: AWS Security & Compliance + +Analyze AWS security findings, map them to Atmos components and stacks, and get +AI-powered remediation guidance. + +Learn more in the [AWS Security documentation](https://atmos.tools/cli/commands/aws/security). + +> This example requires AWS credentials with Security Hub access. +> Update the `auth` section in `atmos.yaml` with your SSO settings. + +## Prerequisites + +1. **Atmos Auth** — update `auth` in `atmos.yaml` with your SSO start URL, permission set, + and security account ID, then authenticate: + ```bash + atmos auth login + ``` + +2. **AI provider** (optional, for `--ai`): + ```bash + export ANTHROPIC_API_KEY="your-api-key" + ``` + +## Try It + +```shell +cd examples/aws-security-compliance + +# All findings +atmos aws security analyze + +# Filter by stack and component +atmos aws security analyze --stack prod-us-east-1 --component vpc + +# AI-powered remediation +atmos aws security analyze --stack prod-us-east-1 --ai + +# Save as JSON +atmos aws security analyze --format json --file findings.json + +# Compliance reports +atmos aws compliance report --framework cis-aws +atmos aws compliance report --ai +``` + +## See It in Action + +### Security findings mapped to components + +```text +$ atmos aws security analyze --stack plat-use2-dev --component rds/example + +# Security Report: plat-use2-dev / rds/example — 4 findings (1 CRITICAL, 3 HIGH) + +| Field | Value | +|----------------|-------------------------------------------------------------| +| **Component** | rds/example | +| **Stack** | plat-use2-dev | +| **Confidence** | exact | +| **Mapped By** | finding-tag | + +Resource Tags: atmos_stack=plat-use2-dev, atmos_component=rds/example, + Namespace=acme, Tenant=plat, Environment=use2, Stage=dev + +| Severity | Count | Mapped | +|-----------|-------|--------| +| CRITICAL | 1 | 1 | +| HIGH | 3 | 3 | +``` + +### With `--ai` — AI-powered remediation + +```text +$ atmos aws security analyze --stack plat-use2-dev --component rds/example --ai + +✓ AI analysis complete — rds/example in plat-use2-dev + +## EC2.18: Port 5432 open to 0.0.0.0/0 (HIGH) +Fix: allowed_cidr_blocks: [], publicly_accessible: false + +## EC2.13: Port 22/SSH open on RDS SG (HIGH) +⚠️ Anomalous — likely out-of-band console drift. Remove manually. + +## Priority Actions +1. Remove port-22 rule manually (drift) +2. Update catalog/rds/example.yaml: + allowed_cidr_blocks: [] + publicly_accessible: false + use_private_subnets: true +3. Add Terraform validation guard for allowed_cidr_blocks +4. atmos terraform apply rds/example -s plat-use2-dev + +| Finding | Risk | +|--------------------|--------| +| EC2.18 (port 5432) | Medium | +| EC2.13 (port 22) | Low | +``` + +### Compliance report + +```text +$ atmos aws compliance report + +## Score: 35/42 Controls Passing (83%) + +| Control | Title | Severity | +|--------------|----------------------------------------------------|----------| +| Config.1 | AWS Config should be enabled | CRITICAL | +| EC2.14 | SG allows ingress from 0.0.0.0/0 to port 3389 | HIGH | +| EC2.13 | SG allows ingress from 0.0.0.0/0 to port 22 | HIGH | +| S3.1 | S3 block public access not enabled | MEDIUM | +| EC2.6 | VPC flow logging not enabled | MEDIUM | +| IAM.17 | Password policy doesn't expire in 90 days | LOW | +| CloudTrail.7 | S3 access logging not enabled on CloudTrail bucket | LOW | +``` + +### Compliance with `--ai` + +```text +$ atmos aws compliance report --ai + +✓ 83% Compliant (35/42) — 7 failing controls + +🔴 Config.1: Enable AWS Config with service-linked role +🟠 EC2.14/EC2.13: Lock down SG ports 22/3389 — use VPN or SSM +🟡 S3.1: Enable Block Public Access | EC2.6: Enable VPC Flow Logs +🟢 IAM.17: Set password expiry ≤90d | CloudTrail.7: Enable S3 access logging + +Next: atmos terraform apply on security-groups, vpc, config components +``` + +## Key Files + +| File | Purpose | +|--------------|-------------------------------------------------| +| `atmos.yaml` | Security config, auth, AI provider, tag mapping | diff --git a/examples/aws-security-compliance/atmos.yaml b/examples/aws-security-compliance/atmos.yaml new file mode 100644 index 0000000000..96c1f68229 --- /dev/null +++ b/examples/aws-security-compliance/atmos.yaml @@ -0,0 +1,80 @@ +# Atmos AWS Security & Compliance Example +# +# Analyze security findings, map to components, get AI remediation. +# +# Prerequisites: +# - Update auth section below with your SSO settings +# - atmos auth login +# - For --ai: export ANTHROPIC_API_KEY="..." +# +# Quick start: +# atmos aws security analyze +# atmos aws compliance report --framework cis-aws + +base_path: "." + +# AWS Security & Compliance +# Docs: https://atmos.tools/cli/commands/aws/security +aws: + security: + enabled: true + + # Atmos Auth identity targeting the Security Hub delegated admin account. + identity: "security-readonly" + + # Security Hub aggregation region. + region: "us-east-2" + + # Default severity filter. + default_severity: + - CRITICAL + - HIGH + + max_findings: 50 + + # Tag keys for finding-to-code mapping. + # Update to match your organization's tagging standard. + tag_mapping: + stack_tag: "atmos:stack" + component_tag: "atmos:component" + + # Account names are resolved automatically via AWS Organizations DescribeAccount API. + # If account_map is configured, it takes priority (no API call for matched IDs). + # Use account_map only if Organizations access is unavailable. + # account_map: + # "123456789012": "security" + # "234567890123": "prod" + + frameworks: + - cis-aws + +# Atmos Auth — update with your AWS organization settings. +# Docs: https://atmos.tools/cli/configuration/auth +auth: + providers: + aws-sso: + kind: aws/iam-identity-center + start_url: "https://your-org.awsapps.com/start" # ← Change this + region: "us-east-1" + identities: + security-readonly: + kind: aws/permission-set + provider: aws-sso + default: true + principal: + permission_set: "ReadOnlyAccess" # ← Change this + account: + id: "123456789012" # ← Change this (security account) + +# AI Configuration (optional, for --ai flag) +# Docs: https://atmos.tools/cli/configuration/ai +ai: + enabled: true + default_provider: "anthropic" + providers: + anthropic: + model: "claude-sonnet-4-6" + api_key: !env "ANTHROPIC_API_KEY" + max_tokens: 4096 + tools: + enabled: true diff --git a/examples/quick-start-advanced/Dockerfile b/examples/quick-start-advanced/Dockerfile index 1dfd4f6c35..1e5de1fedc 100644 --- a/examples/quick-start-advanced/Dockerfile +++ b/examples/quick-start-advanced/Dockerfile @@ -6,7 +6,7 @@ ARG GEODESIC_OS=debian # https://atmos.tools/ # https://github.com/cloudposse/atmos # https://github.com/cloudposse/atmos/releases -ARG ATMOS_VERSION=1.214.0 +ARG ATMOS_VERSION=1.215.0 # Terraform: https://github.com/hashicorp/terraform/releases ARG TF_VERSION=1.5.7 diff --git a/go.mod b/go.mod index 0a5f19d07d..df76317c65 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.26 require ( al.essio.dev/pkg/shellescape v1.6.0 - cloud.google.com/go/secretmanager v1.16.0 + cloud.google.com/go/secretmanager v1.17.0 cloud.google.com/go/storage v1.61.3 dario.cat/mergo v1.0.2 github.com/99designs/keyring v1.2.2 @@ -22,22 +22,24 @@ require ( github.com/agiledragon/gomonkey/v2 v2.14.0 github.com/alecthomas/chroma/v2 v2.23.1 github.com/alicebob/miniredis/v2 v2.37.0 - github.com/anthropics/anthropic-sdk-go v1.27.1 + github.com/anthropics/anthropic-sdk-go v1.29.0 github.com/arsham/figurine v1.3.0 github.com/atotto/clipboard v0.1.4 github.com/aws/aws-sdk-go-v2 v1.41.5 - github.com/aws/aws-sdk-go-v2/config v1.32.13 - github.com/aws/aws-sdk-go-v2/credentials v1.19.13 + github.com/aws/aws-sdk-go-v2/config v1.32.14 + github.com/aws/aws-sdk-go-v2/credentials v1.19.14 github.com/aws/aws-sdk-go-v2/service/bedrockruntime v1.50.4 github.com/aws/aws-sdk-go-v2/service/ecr v1.56.2 github.com/aws/aws-sdk-go-v2/service/eks v1.81.2 github.com/aws/aws-sdk-go-v2/service/organizations v1.51.0 + github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.10 github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0 + github.com/aws/aws-sdk-go-v2/service/securityhub v1.68.3 github.com/aws/aws-sdk-go-v2/service/ssm v1.68.4 - github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 + github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 - github.com/aws/smithy-go v1.24.2 + github.com/aws/smithy-go v1.24.3 github.com/bmatcuk/doublestar/v4 v4.10.0 github.com/charmbracelet/bubbles v1.0.0 github.com/charmbracelet/bubbletea v1.3.10 @@ -66,10 +68,10 @@ require ( github.com/google/go-github/v59 v59.0.0 github.com/google/renameio/v2 v2.0.2 github.com/google/uuid v1.6.0 - github.com/googleapis/gax-go/v2 v2.20.0 + github.com/googleapis/gax-go/v2 v2.21.0 github.com/hairyhenderson/gomplate/v3 v3.11.8 github.com/hairyhenderson/gomplate/v4 v4.3.3 - github.com/hashicorp/go-getter v1.8.5 + github.com/hashicorp/go-getter v1.8.6 github.com/hashicorp/go-version v1.9.0 github.com/hashicorp/hcl v1.0.1-vault-7 github.com/hashicorp/hcl/v2 v2.24.0 @@ -118,7 +120,7 @@ require ( golang.org/x/oauth2 v0.36.0 golang.org/x/term v0.41.0 golang.org/x/text v0.35.0 - google.golang.org/api v0.273.1 + google.golang.org/api v0.274.0 google.golang.org/genai v1.52.1 google.golang.org/grpc v1.80.0 gopkg.in/ini.v1 v1.67.1 @@ -136,12 +138,12 @@ require ( cloud.google.com/go/auth v0.19.0 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect - cloud.google.com/go/iam v1.6.0 // indirect - cloud.google.com/go/monitoring v1.24.3 // indirect + cloud.google.com/go/iam v1.7.0 // indirect + cloud.google.com/go/monitoring v1.25.0 // indirect cuelang.org/go v0.16.0 // indirect github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect github.com/AlecAivazis/survey/v2 v2.3.7 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/to v0.4.1 // indirect @@ -169,7 +171,7 @@ require ( github.com/aws/aws-sdk-go v1.55.8 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.11 // indirect + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.12 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect @@ -206,7 +208,7 @@ require ( github.com/containerd/containerd/v2 v2.2.2 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/log v0.1.0 // indirect - github.com/containerd/platforms v1.0.0-rc.3 // indirect + github.com/containerd/platforms v1.0.0-rc.4 // indirect github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/cyphar/filepath-securejoin v0.6.1 // indirect @@ -240,8 +242,8 @@ require ( github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.8.0 // indirect github.com/go-ini/ini v1.67.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.4 // indirect - github.com/go-jose/go-jose/v4 v4.1.3 // indirect + github.com/go-jose/go-jose/v3 v3.0.5 // indirect + github.com/go-jose/go-jose/v4 v4.1.4 // indirect github.com/go-logfmt/logfmt v0.6.1 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -294,13 +296,13 @@ require ( github.com/hashicorp/vault/api/auth/aws v0.12.0 // indirect github.com/hashicorp/vault/api/auth/userpass v0.12.0 // indirect github.com/huandu/go-clone v1.7.3 // indirect - github.com/huandu/go-sqlbuilder v1.40.0 // indirect + github.com/huandu/go-sqlbuilder v1.40.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/iancoleman/orderedmap v0.3.0 // indirect github.com/iancoleman/strcase v0.3.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/itchyny/gojq v0.12.18 // indirect - github.com/itchyny/timefmt-go v0.1.7 // indirect + github.com/itchyny/gojq v0.12.19 // indirect + github.com/itchyny/timefmt-go v0.1.8 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jfrog/archiver/v3 v3.6.3 // indirect github.com/jfrog/build-info-go v1.13.0 // indirect @@ -317,7 +319,7 @@ require ( github.com/kr/text v0.2.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lestrrat-go/blackmagic v1.0.4 // indirect - github.com/lestrrat-go/dsig v1.0.0 // indirect + github.com/lestrrat-go/dsig v1.1.0 // indirect github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/httprc/v3 v3.0.5 // indirect @@ -404,7 +406,7 @@ require ( github.com/yashtewari/glob-intersection v0.2.0 // indirect github.com/yosida95/uritemplate/v3 v3.0.2 // indirect github.com/yuin/goldmark-emoji v1.0.6 // indirect - github.com/yuin/gopher-lua v1.1.1 // indirect + github.com/yuin/gopher-lua v1.1.2 // indirect github.com/zealic/xignore v0.3.3 // indirect go.etcd.io/bbolt v1.4.3 // indirect go.opencensus.io v0.24.0 // indirect @@ -434,9 +436,9 @@ require ( golang.org/x/time v0.15.0 // indirect golang.org/x/tools v0.43.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect - google.golang.org/genproto v0.0.0-20260330182312-d5a96adf58d8 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260330182312-d5a96adf58d8 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260330182312-d5a96adf58d8 // indirect + google.golang.org/genproto v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff --git a/go.sum b/go.sum index ab8e0bc123..f55322ffc8 100644 --- a/go.sum +++ b/go.sum @@ -12,20 +12,20 @@ cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIi cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= -cloud.google.com/go/iam v1.6.0 h1:JiSIcEi38dWBKhB3BtfKCW+dMvCZJEhBA2BsaGJgoxs= -cloud.google.com/go/iam v1.6.0/go.mod h1:ZS6zEy7QHmcNO18mjO2viYv/n+wOUkhJqGNkPPGueGU= +cloud.google.com/go/iam v1.7.0 h1:JD3zh0C6LHl16aCn5Akff0+GELdp1+4hmh6ndoFLl8U= +cloud.google.com/go/iam v1.7.0/go.mod h1:tetWZW1PD/m6vcuY2Zj/aU0eCHNPuxedbnbRTyKXvdY= cloud.google.com/go/logging v1.13.2 h1:qqlHCBvieJT9Cdq4QqYx1KPadCQ2noD4FK02eNqHAjA= cloud.google.com/go/logging v1.13.2/go.mod h1:zaybliM3yun1J8mU2dVQ1/qDzjbOqEijZCn6hSBtKak= cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8= cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk= -cloud.google.com/go/monitoring v1.24.3 h1:dde+gMNc0UhPZD1Azu6at2e79bfdztVDS5lvhOdsgaE= -cloud.google.com/go/monitoring v1.24.3/go.mod h1:nYP6W0tm3N9H/bOw8am7t62YTzZY+zUeQ+Bi6+2eonI= -cloud.google.com/go/pubsub v1.50.1 h1:fzbXpPyJnSGvWXF1jabhQeXyxdbCIkXTpjXHy7xviBM= -cloud.google.com/go/pubsub v1.50.1/go.mod h1:6YVJv3MzWJUVdvQXG081sFvS0dWQOdnV+oTo++q/xFk= -cloud.google.com/go/pubsub/v2 v2.0.0 h1:0qS6mRJ41gD1lNmM/vdm6bR7DQu6coQcVwD+VPf0Bz0= -cloud.google.com/go/pubsub/v2 v2.0.0/go.mod h1:0aztFxNzVQIRSZ8vUr79uH2bS3jwLebwK6q1sgEub+E= -cloud.google.com/go/secretmanager v1.16.0 h1:19QT7ZsLJ8FSP1k+4esQvuCD7npMJml6hYzilxVyT+k= -cloud.google.com/go/secretmanager v1.16.0/go.mod h1://C/e4I8D26SDTz1f3TQcddhcmiC3rMEl0S1Cakvs3Q= +cloud.google.com/go/monitoring v1.25.0 h1:HnsTIOxTN6BCSkt1P/Im23r1m7MHTTpmSYCzPkW7NK4= +cloud.google.com/go/monitoring v1.25.0/go.mod h1:wlj6rX+JGyusw/8+2duW4cJ6kmDHGmde3zMTJuG3Jpc= +cloud.google.com/go/pubsub v1.50.2 h1:54Up97HnThdP4H8jjWJSSQ/mnYG2EKon7ZSNETRq0tM= +cloud.google.com/go/pubsub v1.50.2/go.mod h1:jyCWeZdGFqd4mitSsBERnJcpqaHBsxQoPkNvjj4sp0w= +cloud.google.com/go/pubsub/v2 v2.5.1 h1:+TwXJr78P9RrMV3S8lKHIhJo2E99jI7ta65e+ujJjts= +cloud.google.com/go/pubsub/v2 v2.5.1/go.mod h1:Pd+qeabMX+576vQJhTN7TelE4k6kJh15dLU/ptOQ/UA= +cloud.google.com/go/secretmanager v1.17.0 h1:rji2m9dikfOxUvYxgJ5XpSvDtwqjouqKFAPp4Hgfyto= +cloud.google.com/go/secretmanager v1.17.0/go.mod h1:ojzpR7KA2il9qcmBYaysgHsclj8nMcCL/Hc+WYxUsGA= cloud.google.com/go/storage v1.61.3 h1:VS//ZfBuPGDvakfD9xyPW1RGF1Vy3BWUoVZXgW1KMOg= cloud.google.com/go/storage v1.61.3/go.mod h1:JtqK8BBB7TWv0HVGHubtUdzYYrakOQIsMLffZ2Z/HWk= cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U= @@ -50,8 +50,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpz github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 h1:fhqpLE3UEXi9lPaBRpQ6XuRW0nU7hgg4zlmZZa+a9q4= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0/go.mod h1:7dCRMLwisfRH3dBupKeNCioWYUZ4SS09Z14H+7i8ZoY= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0/go.mod h1:LRr2FzBTQlONPPa5HREE5+RjSCTXl7BwOvYOaWTqCaI= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 h1:7CBQ+Ei8SP2c6ydQTGCCrS35bDxgTMfoP2miAwK++OU= @@ -145,8 +145,8 @@ github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kk github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= -github.com/anthropics/anthropic-sdk-go v1.27.1 h1:7DgMZ2Ng3C2mPzJGHA30NXQTZolcF07mHd0tGaLwfzk= -github.com/anthropics/anthropic-sdk-go v1.27.1/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q= +github.com/anthropics/anthropic-sdk-go v1.29.0 h1:7h1ZyRflhtxyuFkdwkVuJ1LdFAYdmizvgg0gd1uvOfI= +github.com/anthropics/anthropic-sdk-go v1.29.0/go.mod h1:dSIO7kSrOI7MA4fE6RRVaw8tyWP7HNQU5/H/KS4cax8= github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= @@ -173,14 +173,14 @@ github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI= -github.com/aws/aws-sdk-go-v2/config v1.32.13 h1:5KgbxMaS2coSWRrx9TX/QtWbqzgQkOdEa3sZPhBhCSg= -github.com/aws/aws-sdk-go-v2/config v1.32.13/go.mod h1:8zz7wedqtCbw5e9Mi2doEwDyEgHcEE9YOJp6a8jdSMY= -github.com/aws/aws-sdk-go-v2/credentials v1.19.13 h1:mA59E3fokBvyEGHKFdnpNNrvaR351cqiHgRg+JzOSRI= -github.com/aws/aws-sdk-go-v2/credentials v1.19.13/go.mod h1:yoTXOQKea18nrM69wGF9jBdG4WocSZA1h38A+t/MAsk= +github.com/aws/aws-sdk-go-v2/config v1.32.14 h1:opVIRo/ZbbI8OIqSOKmpFaY7IwfFUOCCXBsUpJOwDdI= +github.com/aws/aws-sdk-go-v2/config v1.32.14/go.mod h1:U4/V0uKxh0Tl5sxmCBZ3AecYny4UNlVmObYjKuuaiOo= +github.com/aws/aws-sdk-go-v2/credentials v1.19.14 h1:n+UcGWAIZHkXzYt87uMFBv/l8THYELoX6gVcUvgl6fI= +github.com/aws/aws-sdk-go-v2/credentials v1.19.14/go.mod h1:cJKuyWB59Mqi0jM3nFYQRmnHVQIcgoxjEMAbLkpr62w= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 h1:NUS3K4BTDArQqNu2ih7yeDLaS3bmHD0YndtA6UP884g= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21/go.mod h1:YWNWJQNjKigKY1RHVJCuupeWDrrHjRqHm0N9rdrWzYI= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.11 h1:389etN1xVFox972wTlppZOhdE9hviegagWS00FK6D+4= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.11/go.mod h1:w47JHXVTLCfgMR5ogaztz9jgOgOuBhorYB4RScKfMXw= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.12 h1:vhbHvVM9Til68SOR3Dds7zi51PaUlzexmh4Lf/uv+Ok= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.12/go.mod h1:jq4soyz7xX5bfkxVKQu1BwkopF2QbQUTs5n7iIg3D8Q= github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A= @@ -205,22 +205,26 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWUR github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ= github.com/aws/aws-sdk-go-v2/service/organizations v1.51.0 h1:WWZx5pDUGGG/WjlAM6agF0s5jUSz2HLFGZkDFZJa9oE= github.com/aws/aws-sdk-go-v2/service/organizations v1.51.0/go.mod h1:urLFj1twuR/h5T0wN/2/kmY1gxBFa1tTKr+c60lZ2fA= +github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.10 h1:/06ZTEMv78pKQyHCE8mCyTr0jqyB/SgEqNISV0cLpho= +github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.10/go.mod h1:1U2gliqlvTuDukaKtoF9IvEC+rP2pb0b6c4f7s/INeQ= github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0 h1:foqo/ocQ7WqKwy3FojGtZQJo0FR4vto9qnz9VaumbCo= github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5 h1:z2ayoK3pOvf8ODj/vPR0FgAS5ONruBq0F94SRoW/BIU= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5/go.mod h1:mpZB5HAl4ZIISod9qCi12xZ170TbHX9CCJV5y7nb7QU= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.68.3 h1:Nz5/FeXnKq+7YtIeNtHIuDeX/ZeFWDETL0oaqf8V0VI= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.68.3/go.mod h1:wFhqYLcoMThnIKlNsl048lq9FmCA20hJV1GY0TvS7MI= github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg= github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI= github.com/aws/aws-sdk-go-v2/service/ssm v1.68.4 h1:5Wg8AAAnIWM2LE/0KFGqllZff96bm4dBs+uerYFfReE= github.com/aws/aws-sdk-go-v2/service/ssm v1.68.4/go.mod h1:nph0ypDLWm9D9iA9zOX39W/N+A4GqwzlxA13jzXVD4k= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 h1:GcLE9ba5ehAQma6wlopUesYg/hbcOhFNWTjELkiWkh4= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.14/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 h1:mP49nTpfKtpXLt5SLn8Uv8z6W+03jYVoOSAl/c02nog= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 h1:lFd1+ZSEYJZYvv9d6kXzhkZu07si3f+GQ1AaYwa2LUM= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.15/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 h1:dzztQ1YmfPrxdrOiuZRMF6fuOwWlWpD2StNLTceKpys= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w= github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 h1:p8ogvvLugcR/zLBXTXrTkj0RYBUdErbMnAFFp12Lm/U= github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJinbHrDfSJ2GZl4Q//OSSNAVw= -github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng= -github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= +github.com/aws/smithy-go v1.24.3 h1:XgOAaUgx+HhVBoP4v8n6HCQoTRDhoMghKqw4LNHsDNg= +github.com/aws/smithy-go v1.24.3/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8= github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY= @@ -327,8 +331,8 @@ github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= -github.com/containerd/platforms v1.0.0-rc.3 h1:YdvwaHtrN6wHcGJ2mYRYP3Nso8OcysuqFe9Hxm1X/tI= -github.com/containerd/platforms v1.0.0-rc.3/go.mod h1:gw0R+alP3nFQPh1L4K9bv13fRWeeyokLGLu2fKuqI10= +github.com/containerd/platforms v1.0.0-rc.4 h1:M42JrUT4zfZTqtkUwkr0GzmUWbfyO5VO0Q5b3op97T4= +github.com/containerd/platforms v1.0.0-rc.4/go.mod h1:lKlMXyLybmBedS/JJm11uDofzI8L2v0J2ZbYvNsbq1A= github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw= github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= @@ -465,10 +469,10 @@ github.com/go-git/go-git/v5 v5.17.2 h1:B+nkdlxdYrvyFK4GPXVU8w1U+YkbsgciIR7f2sZJ1 github.com/go-git/go-git/v5 v5.17.2/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= -github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= -github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= -github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= -github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= +github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ= +github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= +github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= @@ -588,8 +592,8 @@ github.com/google/wire v0.7.0 h1:JxUKI6+CVBgCO2WToKy/nQk0sS+amI9z9EjVmdaocj4= github.com/google/wire v0.7.0/go.mod h1:n6YbUQD9cPKTnHXEBN2DXlOp/mVADhVErcMFb0v3J18= github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8= github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg= -github.com/googleapis/gax-go/v2 v2.20.0 h1:NIKVuLhDlIV74muWlsMM4CcQZqN6JJ20Qcxd9YMuYcs= -github.com/googleapis/gax-go/v2 v2.20.0/go.mod h1:But/NJU6TnZsrLai/xBAQLLz+Hc7fHZJt/hsCz3Fih4= +github.com/googleapis/gax-go/v2 v2.21.0 h1:h45NjjzEO3faG9Lg/cFrBh2PgegVVgzqKzuZl/wMbiI= +github.com/googleapis/gax-go/v2 v2.21.0/go.mod h1:But/NJU6TnZsrLai/xBAQLLz+Hc7fHZJt/hsCz3Fih4= github.com/gookit/assert v0.1.1 h1:lh3GcawXe/p+cU7ESTZ5Ui3Sm/x8JWpIis4/1aF0mY0= github.com/gookit/assert v0.1.1/go.mod h1:jS5bmIVQZTIwk42uXl4lyj4iaaxx32tqH16CFj0VX2E= github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA= @@ -649,8 +653,8 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.8.5 h1:DMPV5CSw5JrNg/IK7kDZt3+l2REKXOi3oAw7uYLh2NM= -github.com/hashicorp/go-getter v1.8.5/go.mod h1:WIffejwAyDSJhoVptc3UEshEMkR9O63rw34V7k43O3Q= +github.com/hashicorp/go-getter v1.8.6 h1:9sQboWULaydVphxc4S64oAI4YqpuCk7nPmvbk131ebY= +github.com/hashicorp/go-getter v1.8.6/go.mod h1:nVH12eOV2P58dIiL3rsU6Fh3wLeJEKBOJzhMmzlSWoo= github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= @@ -721,8 +725,8 @@ github.com/huandu/go-assert v1.1.6 h1:oaAfYxq9KNDi9qswn/6aE0EydfxSa+tWZC1KabNitY github.com/huandu/go-assert v1.1.6/go.mod h1:JuIfbmYG9ykwvuxoJ3V8TB5QP+3+ajIA54Y44TmkMxs= github.com/huandu/go-clone v1.7.3 h1:rtQODA+ABThEn6J5LBTppJfKmZy/FwfpMUWa8d01TTQ= github.com/huandu/go-clone v1.7.3/go.mod h1:ReGivhG6op3GYr+UY3lS6mxjKp7MIGTknuU5TbTVaXE= -github.com/huandu/go-sqlbuilder v1.40.0 h1:AyVPNtsZhG8x298g5Bq0tapa4DA6o/vVZ2LCywIocZU= -github.com/huandu/go-sqlbuilder v1.40.0/go.mod h1:zdONH67liL+/TvoUMwnZP/sUYGSSvHh9psLe/HpXn8E= +github.com/huandu/go-sqlbuilder v1.40.1 h1:Q2pNM8BAbaezO56ZzkbJNMGW/CTu+8+Qw7IxF4P3+7w= +github.com/huandu/go-sqlbuilder v1.40.1/go.mod h1:zdONH67liL+/TvoUMwnZP/sUYGSSvHh9psLe/HpXn8E= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/iancoleman/orderedmap v0.3.0 h1:5cbR2grmZR/DiVt+VJopEhtVs9YGInGIxAoMJn+Ichc= @@ -732,10 +736,10 @@ github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/itchyny/gojq v0.12.18 h1:gFGHyt/MLbG9n6dqnvlliiya2TaMMh6FFaR2b1H6Drc= -github.com/itchyny/gojq v0.12.18/go.mod h1:4hPoZ/3lN9fDL1D+aK7DY1f39XZpY9+1Xpjz8atrEkg= -github.com/itchyny/timefmt-go v0.1.7 h1:xyftit9Tbw+Dc/huSSPJaEmX1TVL8lw5vxjJLK4GMMA= -github.com/itchyny/timefmt-go v0.1.7/go.mod h1:5E46Q+zj7vbTgWY8o5YkMeYb4I6GeWLFnetPy5oBrAI= +github.com/itchyny/gojq v0.12.19 h1:ttXA0XCLEMoaLOz5lSeFOZ6u6Q3QxmG46vfgI4O0DEs= +github.com/itchyny/gojq v0.12.19/go.mod h1:5galtVPDywX8SPSOrqjGxkBeDhSxEW1gSxoy7tn1iZY= +github.com/itchyny/timefmt-go v0.1.8 h1:1YEo1JvfXeAHKdjelbYr/uCuhkybaHCeTkH8Bo791OI= +github.com/itchyny/timefmt-go v0.1.8/go.mod h1:5E46Q+zj7vbTgWY8o5YkMeYb4I6GeWLFnetPy5oBrAI= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jfrog/archiver/v3 v3.6.3 h1:hkAmPjBw393tPmQ07JknLNWFNZjXdy2xFEnOW9wwOxI= @@ -807,8 +811,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA= github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw= -github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38= -github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo= +github.com/lestrrat-go/dsig v1.1.0 h1:FF7ApqV/r5IQoRdd6LDev/ctP8uz7eIvoGw+ZZvry/8= +github.com/lestrrat-go/dsig v1.1.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo= github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY= github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= @@ -1167,8 +1171,8 @@ github.com/yuin/goldmark v1.8.2 h1:kEGpgqJXdgbkhcOgBxkC0X0PmoPG1ZyoZ117rDVp4zE= github.com/yuin/goldmark v1.8.2/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg= github.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs= github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA= -github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M= -github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= +github.com/yuin/gopher-lua v1.1.2 h1:yF/FjE3hD65tBbt0VXLE13HWS9h34fdzJmrWRXwobGA= +github.com/yuin/gopher-lua v1.1.2/go.mod h1:7aRmXIWl37SqRf0koeyylBEzJ+aPt8A+mmkQ4f1ntR8= github.com/zalando/go-keyring v0.2.8 h1:6sD/Ucpl7jNq10rM2pgqTs0sZ9V3qMrqfIIy5YPccHs= github.com/zalando/go-keyring v0.2.8/go.mod h1:tsMo+VpRq5NGyKfxoBVjCuMrG47yj8cmakZDO5QGii0= github.com/zclconf/go-cty v1.18.0 h1:pJ8+HNI4gFoyRNqVE37wWbJWVw43BZczFo7KUoRczaA= @@ -1410,8 +1414,8 @@ golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhS golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= -google.golang.org/api v0.273.1 h1:L7G/TmpAMz0nKx/ciAVssVmWQiOF6+pOuXeKrWVsquY= -google.golang.org/api v0.273.1/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew= +google.golang.org/api v0.274.0 h1:aYhycS5QQCwxHLwfEHRRLf9yNsfvp1JadKKWBE54RFA= +google.golang.org/api v0.274.0/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genai v1.52.1 h1:dYoljKtLDXMiBdVaClSJ/ZPwZ7j1N0lGjMhwOKOQUlk= @@ -1419,12 +1423,12 @@ google.golang.org/genai v1.52.1/go.mod h1:A3kkl0nyBjyFlNjgxIwKq70julKbIxpSxqKO5g google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20260330182312-d5a96adf58d8 h1:sySa53TjfcJqYj9NDInPweJWT4oTPySurSM7e3nr6hQ= -google.golang.org/genproto v0.0.0-20260330182312-d5a96adf58d8/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I= -google.golang.org/genproto/googleapis/api v0.0.0-20260330182312-d5a96adf58d8 h1:udju5p8o61FW6K2fxHWPIZhChk4FHl2Hjk8+uuLNnpM= -google.golang.org/genproto/googleapis/api v0.0.0-20260330182312-d5a96adf58d8/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260330182312-d5a96adf58d8 h1:OHkuo1i98/05rzpm9NBbfEtpJH/k3abEgZUKaAuCI7Y= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260330182312-d5a96adf58d8/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/genproto v0.0.0-20260401024825-9d38bb4040a9 h1:w8JYjr7zHemS95YA5FFwk+fUv5tdQU4I8twN9bFdxVU= +google.golang.org/genproto v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:YCEC8W7HTtK7iBv+pI7g7hGAi7qdGB6bQXw3BIYAusM= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= diff --git a/pkg/ai/analyze/analyze_test.go b/pkg/ai/analyze/analyze_test.go index 6f7ebce8c4..eccaf505c3 100644 --- a/pkg/ai/analyze/analyze_test.go +++ b/pkg/ai/analyze/analyze_test.go @@ -220,7 +220,7 @@ func TestBuildAnalysisPrompt_BothStreams(t *testing.T) { } func TestBuildAnalysisPrompt_ContainsSystemPrompt(t *testing.T) { - prompt := buildAnalysisPrompt(newInput("atmos version", "1.214.0", "", nil, "")) + prompt := buildAnalysisPrompt(newInput("atmos version", "1.215.0", "", nil, "")) assert.Contains(t, prompt, "Atmos AI") assert.Contains(t, prompt, "infrastructure-as-code") diff --git a/pkg/ai/tools/atmos/analyze_finding.go b/pkg/ai/tools/atmos/analyze_finding.go new file mode 100644 index 0000000000..c453b3d040 --- /dev/null +++ b/pkg/ai/tools/atmos/analyze_finding.go @@ -0,0 +1,193 @@ +package atmos + +import ( + "context" + "encoding/json" + "fmt" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/ai/tools" + "github.com/cloudposse/atmos/pkg/aws/security" + cfg "github.com/cloudposse/atmos/pkg/config" + "github.com/cloudposse/atmos/pkg/schema" +) + +// AnalyzeFindingTool performs AI-powered analysis of a specific security finding. +type AnalyzeFindingTool struct { + atmosConfig *schema.AtmosConfiguration +} + +// NewAnalyzeFindingTool creates a new analyze finding tool. +func NewAnalyzeFindingTool(atmosConfig *schema.AtmosConfiguration) *AnalyzeFindingTool { + return &AnalyzeFindingTool{atmosConfig: atmosConfig} +} + +// Name returns the tool name. +func (t *AnalyzeFindingTool) Name() string { + return "atmos_analyze_finding" +} + +// Description returns the tool description. +func (t *AnalyzeFindingTool) Description() string { + return "Analyze a security finding using AI to determine root cause, remediation steps, " + + "and deployment commands. Maps the finding to its Atmos component and reads the " + + "component source code for context-aware analysis. Use atmos_list_findings first to get finding IDs." +} + +// Parameters returns the tool parameters. +func (t *AnalyzeFindingTool) Parameters() []tools.Parameter { + return []tools.Parameter{ + { + Name: "finding_id", + Description: "The security finding ID to analyze", + Type: tools.ParamTypeString, + Required: true, + }, + { + Name: "component_source", + Description: "Optional component source code to include in the analysis context", + Type: tools.ParamTypeString, + Required: false, + }, + { + Name: "stack_config", + Description: "Optional stack configuration YAML to include in the analysis context", + Type: tools.ParamTypeString, + Required: false, + }, + } +} + +// Execute runs the tool. +func (t *AnalyzeFindingTool) Execute(ctx context.Context, params map[string]interface{}) (*tools.Result, error) { + findingID, ok := params["finding_id"].(string) + if !ok || findingID == "" { + return &tools.Result{Success: false, Output: "finding_id parameter is required"}, nil + } + + componentSource, _ := params["component_source"].(string) + stackConfig, _ := params["stack_config"].(string) + + // Re-initialize config. + atmosConfig, err := cfg.InitCliConfig(schema.ConfigAndStacksInfo{}, true) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if !atmosConfig.AWS.Security.Enabled { + return &tools.Result{ + Success: false, + Error: errUtils.Build(errUtils.ErrAWSSecurityNotEnabled). + WithHint("Add `aws.security.enabled: true` to your `atmos.yaml`"). + WithExitCode(2). + Err(), + }, nil + } + + // Fetch the finding by ID. + finding, err := fetchFindingByID(ctx, &atmosConfig, findingID) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if finding == nil { + return &tools.Result{ + Success: true, + Output: fmt.Sprintf("Finding with ID %q not found.", findingID), + }, nil + } + + // Map and analyze the finding. + return mapAndAnalyzeFinding(ctx, &atmosConfig, finding, componentSource, stackConfig) +} + +// mapAndAnalyzeFinding maps a finding to its component and runs AI analysis. +func mapAndAnalyzeFinding(ctx context.Context, atmosConfig *schema.AtmosConfiguration, finding *security.Finding, componentSource, stackConfig string) (*tools.Result, error) { + // Map the finding to a component. + mapper := security.NewComponentMapper(atmosConfig, nil) + mapping, _ := mapper.MapFinding(ctx, finding) + finding.Mapping = mapping + + // Run AI analysis. + analyzer, err := security.NewFindingAnalyzer(ctx, atmosConfig, nil, nil) + if err != nil { + return &tools.Result{ + Success: false, + Output: fmt.Sprintf("Failed to create AI analyzer: %s", err.Error()), + }, nil + } + + remediation, err := analyzer.AnalyzeFinding(ctx, finding, componentSource, stackConfig) + if err != nil { + return &tools.Result{ + Success: false, + Output: fmt.Sprintf("AI analysis failed: %s", err.Error()), + }, nil + } + + finding.Remediation = remediation + + // Format output. + output := formatAnalysisOutput(finding) + data, _ := json.Marshal(finding) + + return &tools.Result{ + Success: true, + Output: output, + Data: map[string]interface{}{ + "finding": string(data), + }, + }, nil +} + +// fetchFindingByID fetches a specific finding by its ID. +func fetchFindingByID(ctx context.Context, atmosConfig *schema.AtmosConfiguration, findingID string) (*security.Finding, error) { + fetcher := security.NewFindingFetcher(atmosConfig, nil) + opts := security.QueryOptions{ + Severity: []security.Severity{security.SeverityCritical, security.SeverityHigh, security.SeverityMedium, security.SeverityLow, security.SeverityInformational}, + MaxFindings: security.MaxFindingsForLookup, + } + findings, err := fetcher.FetchFindings(ctx, &opts) + if err != nil { + return nil, err + } + + for i := range findings { + if findings[i].ID == findingID { + return &findings[i], nil + } + } + + return nil, nil +} + +// formatAnalysisOutput creates a readable text summary of the AI analysis. +func formatAnalysisOutput(f *security.Finding) string { + output := formatFindingDetail(f) + + if f.Remediation != nil { + output += "\nAI Analysis:\n" + if f.Remediation.RootCause != "" { + output += fmt.Sprintf(" Root Cause: %s\n", f.Remediation.RootCause) + } + output += fmt.Sprintf(" Remediation: %s\n", f.Remediation.Description) + if f.Remediation.DeployCommand != "" { + output += fmt.Sprintf(" Deploy: %s\n", f.Remediation.DeployCommand) + } + if f.Remediation.RiskLevel != "" { + output += fmt.Sprintf(" Risk: %s\n", f.Remediation.RiskLevel) + } + } + + return output +} + +// RequiresPermission returns whether this tool needs permission. +func (t *AnalyzeFindingTool) RequiresPermission() bool { + return false +} + +// IsRestricted returns whether this tool is always restricted. +func (t *AnalyzeFindingTool) IsRestricted() bool { + return false +} diff --git a/pkg/ai/tools/atmos/compliance_report.go b/pkg/ai/tools/atmos/compliance_report.go new file mode 100644 index 0000000000..d617329971 --- /dev/null +++ b/pkg/ai/tools/atmos/compliance_report.go @@ -0,0 +1,146 @@ +package atmos + +import ( + "context" + "encoding/json" + "fmt" + "strings" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/ai/tools" + "github.com/cloudposse/atmos/pkg/aws/security" + cfg "github.com/cloudposse/atmos/pkg/config" + "github.com/cloudposse/atmos/pkg/schema" +) + +// ComplianceReportTool generates compliance posture reports for frameworks. +type ComplianceReportTool struct { + atmosConfig *schema.AtmosConfiguration +} + +// NewComplianceReportTool creates a new compliance report tool. +func NewComplianceReportTool(atmosConfig *schema.AtmosConfiguration) *ComplianceReportTool { + return &ComplianceReportTool{atmosConfig: atmosConfig} +} + +// Name returns the tool name. +func (t *ComplianceReportTool) Name() string { + return "atmos_compliance_report" +} + +// Description returns the tool description. +func (t *ComplianceReportTool) Description() string { + return "Generate a compliance posture report for a specific framework (CIS AWS, PCI DSS, SOC2, HIPAA, NIST). " + + "Returns the compliance score, passing/failing controls, and remediation guidance." +} + +// Parameters returns the tool parameters. +func (t *ComplianceReportTool) Parameters() []tools.Parameter { + return []tools.Parameter{ + { + Name: "framework", + Description: "Compliance framework: cis-aws, pci-dss, soc2, hipaa, nist", + Type: tools.ParamTypeString, + Required: true, + }, + { + Name: "stack", + Description: "Filter by Atmos stack name", + Type: tools.ParamTypeString, + Required: false, + }, + } +} + +// Execute runs the tool. +func (t *ComplianceReportTool) Execute(ctx context.Context, params map[string]interface{}) (*tools.Result, error) { + framework, ok := params["framework"].(string) + if !ok || framework == "" { + return &tools.Result{Success: false, Output: "framework parameter is required"}, nil + } + + stack := "" + if s, ok := params["stack"].(string); ok { + stack = s + } + + // Re-initialize config. + atmosConfig, err := cfg.InitCliConfig(schema.ConfigAndStacksInfo{}, true) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if !atmosConfig.AWS.Security.Enabled { + return &tools.Result{ + Success: false, + Error: errUtils.Build(errUtils.ErrAWSSecurityNotEnabled). + WithHint("Add `aws.security.enabled: true` to your `atmos.yaml`"). + WithExitCode(2). + Err(), + }, nil + } + + // Fetch compliance status. + fetcher := security.NewFindingFetcher(&atmosConfig, nil) + report, err := fetcher.FetchComplianceStatus(ctx, framework, stack) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if report == nil { + return &tools.Result{ + Success: true, + Output: fmt.Sprintf("No compliance data available for framework: %s", framework), + }, nil + } + + // Format output. + output := formatComplianceOutput(report) + + data, _ := json.Marshal(report) + + return &tools.Result{ + Success: true, + Output: output, + Data: map[string]interface{}{ + "framework": report.Framework, + "total_controls": report.TotalControls, + "passing_controls": report.PassingControls, + "failing_controls": report.FailingControls, + "score_percent": report.ScorePercent, + "report": string(data), + }, + }, nil +} + +// formatComplianceOutput creates a readable compliance report. +func formatComplianceOutput(report *security.ComplianceReport) string { + var sb strings.Builder + fmt.Fprintf(&sb, "Compliance Report: %s\n", report.FrameworkTitle) + fmt.Fprintf(&sb, "Score: %d/%d Controls Passing (%.0f%%)\n\n", + report.PassingControls, report.TotalControls, report.ScorePercent) + + if len(report.FailingDetails) > 0 { + sb.WriteString("Failing Controls:\n") + for _, ctrl := range report.FailingDetails { + fmt.Fprintf(&sb, " - [%s] %s: %s\n", ctrl.Severity, ctrl.ControlID, ctrl.Title) + if ctrl.Component != "" { + fmt.Fprintf(&sb, " Component: %s\n", ctrl.Component) + } + } + } else { + sb.WriteString("All controls are passing.\n") + } + + return sb.String() +} + +// RequiresPermission returns whether this tool needs permission. +func (t *ComplianceReportTool) RequiresPermission() bool { + return false +} + +// IsRestricted returns whether this tool is always restricted. +func (t *ComplianceReportTool) IsRestricted() bool { + return false +} diff --git a/pkg/ai/tools/atmos/describe_finding.go b/pkg/ai/tools/atmos/describe_finding.go new file mode 100644 index 0000000000..f14f44d14d --- /dev/null +++ b/pkg/ai/tools/atmos/describe_finding.go @@ -0,0 +1,152 @@ +package atmos + +import ( + "context" + "encoding/json" + "fmt" + "strings" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/ai/tools" + "github.com/cloudposse/atmos/pkg/aws/security" + cfg "github.com/cloudposse/atmos/pkg/config" + "github.com/cloudposse/atmos/pkg/schema" +) + +// DescribeFindingTool retrieves detailed information about a specific security finding. +type DescribeFindingTool struct { + atmosConfig *schema.AtmosConfiguration +} + +// NewDescribeFindingTool creates a new describe finding tool. +func NewDescribeFindingTool(atmosConfig *schema.AtmosConfiguration) *DescribeFindingTool { + return &DescribeFindingTool{atmosConfig: atmosConfig} +} + +// Name returns the tool name. +func (t *DescribeFindingTool) Name() string { + return "atmos_describe_finding" +} + +// Description returns the tool description. +func (t *DescribeFindingTool) Description() string { + return "Get detailed information about a specific security finding by ID. " + + "Returns the finding details including severity, resource, component mapping, " + + "and description. Use atmos_list_findings first to get finding IDs." +} + +// Parameters returns the tool parameters. +func (t *DescribeFindingTool) Parameters() []tools.Parameter { + return []tools.Parameter{ + { + Name: "finding_id", + Description: "The security finding ID to look up", + Type: tools.ParamTypeString, + Required: true, + }, + } +} + +// Execute runs the tool. +func (t *DescribeFindingTool) Execute(ctx context.Context, params map[string]interface{}) (*tools.Result, error) { + findingID, ok := params["finding_id"].(string) + if !ok || findingID == "" { + return &tools.Result{Success: false, Output: "finding_id parameter is required"}, nil + } + + // Re-initialize config. + atmosConfig, err := cfg.InitCliConfig(schema.ConfigAndStacksInfo{}, true) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if !atmosConfig.AWS.Security.Enabled { + return &tools.Result{ + Success: false, + Error: errUtils.Build(errUtils.ErrAWSSecurityNotEnabled). + WithHint("Add `aws.security.enabled: true` to your `atmos.yaml`"). + WithExitCode(2). + Err(), + }, nil + } + + return fetchAndDescribeFinding(ctx, &atmosConfig, findingID) +} + +// fetchAndDescribeFinding fetches a finding by ID and returns a detailed description. +func fetchAndDescribeFinding(ctx context.Context, atmosConfig *schema.AtmosConfiguration, findingID string) (*tools.Result, error) { + finding, err := fetchFindingByID(ctx, atmosConfig, findingID) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if finding == nil { + return &tools.Result{ + Success: true, + Output: fmt.Sprintf("Finding with ID %q not found.", findingID), + }, nil + } + + // Map the finding to component. + mapper := security.NewComponentMapper(atmosConfig, nil) + mapping, _ := mapper.MapFinding(ctx, finding) + finding.Mapping = mapping + + // Format detailed output. + output := formatFindingDetail(finding) + data, _ := json.Marshal(finding) + + return &tools.Result{ + Success: true, + Output: output, + Data: map[string]interface{}{ + "finding": string(data), + }, + }, nil +} + +// formatFindingDetail formats a single finding with full details. +func formatFindingDetail(f *security.Finding) string { + var sb strings.Builder + fmt.Fprintf(&sb, "Finding: %s\n", f.Title) + fmt.Fprintf(&sb, "ID: %s\n", f.ID) + fmt.Fprintf(&sb, "Severity: %s\n", f.Severity) + fmt.Fprintf(&sb, "Source: %s\n", f.Source) + fmt.Fprintf(&sb, "Resource: %s\n", f.ResourceARN) + fmt.Fprintf(&sb, "Resource Type: %s\n", f.ResourceType) + fmt.Fprintf(&sb, "Account: %s\n", f.AccountID) + fmt.Fprintf(&sb, "Region: %s\n", f.Region) + + if f.ComplianceStandard != "" { + fmt.Fprintf(&sb, "Compliance Standard: %s\n", f.ComplianceStandard) + } + + if f.Description != "" { + fmt.Fprintf(&sb, "\nDescription:\n%s\n", f.Description) + } + + if f.Mapping != nil && f.Mapping.Mapped { + sb.WriteString("\nAtmos Mapping:\n") + fmt.Fprintf(&sb, " Component: %s\n", f.Mapping.Component) + fmt.Fprintf(&sb, " Stack: %s\n", f.Mapping.Stack) + fmt.Fprintf(&sb, " Confidence: %s\n", f.Mapping.Confidence) + fmt.Fprintf(&sb, " Method: %s\n", f.Mapping.Method) + if f.Mapping.ComponentPath != "" { + fmt.Fprintf(&sb, " Path: %s\n", f.Mapping.ComponentPath) + } + } else { + sb.WriteString("\nAtmos Mapping: Not mapped to any component\n") + } + + return sb.String() +} + +// RequiresPermission returns whether this tool needs permission. +func (t *DescribeFindingTool) RequiresPermission() bool { + return false +} + +// IsRestricted returns whether this tool is always restricted. +func (t *DescribeFindingTool) IsRestricted() bool { + return false +} diff --git a/pkg/ai/tools/atmos/list_findings.go b/pkg/ai/tools/atmos/list_findings.go new file mode 100644 index 0000000000..bc97e15f0c --- /dev/null +++ b/pkg/ai/tools/atmos/list_findings.go @@ -0,0 +1,219 @@ +package atmos + +import ( + "context" + "encoding/json" + "fmt" + "strings" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/ai/tools" + "github.com/cloudposse/atmos/pkg/aws/security" + cfg "github.com/cloudposse/atmos/pkg/config" + "github.com/cloudposse/atmos/pkg/schema" +) + +// defaultToolMaxFindings is the default max findings for AI tool queries. +const defaultToolMaxFindings = 20 + +// ListFindingsTool lists security findings from AWS Security Hub. +type ListFindingsTool struct { + atmosConfig *schema.AtmosConfiguration +} + +// NewListFindingsTool creates a new list findings tool. +func NewListFindingsTool(atmosConfig *schema.AtmosConfiguration) *ListFindingsTool { + return &ListFindingsTool{atmosConfig: atmosConfig} +} + +// Name returns the tool name. +func (t *ListFindingsTool) Name() string { + return "atmos_list_findings" +} + +// Description returns the tool description. +func (t *ListFindingsTool) Description() string { + return "List security findings from AWS Security Hub for Atmos stacks. " + + "Returns findings filtered by severity, source service, stack, and component. " + + "Use this to understand the security posture of your infrastructure." +} + +// Parameters returns the tool parameters. +func (t *ListFindingsTool) Parameters() []tools.Parameter { + return []tools.Parameter{ + { + Name: "stack", + Description: "Filter findings by Atmos stack name", + Type: tools.ParamTypeString, + Required: false, + }, + { + Name: "severity", + Description: "Comma-separated severity filter (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL)", + Type: tools.ParamTypeString, + Required: false, + Default: "CRITICAL,HIGH", + }, + { + Name: "source", + Description: "Filter by source service (security-hub, config, inspector, guardduty, macie, access-analyzer, all)", + Type: tools.ParamTypeString, + Required: false, + Default: "all", + }, + { + Name: "max_findings", + Description: "Maximum number of findings to return", + Type: tools.ParamTypeInt, + Required: false, + Default: defaultToolMaxFindings, + }, + } +} + +// Execute runs the tool. +func (t *ListFindingsTool) Execute(ctx context.Context, params map[string]interface{}) (*tools.Result, error) { + atmosConfig, err := cfg.InitCliConfig(schema.ConfigAndStacksInfo{}, true) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if !atmosConfig.AWS.Security.Enabled { + return &tools.Result{ + Success: false, + Error: errUtils.Build(errUtils.ErrAWSSecurityNotEnabled). + WithHint("Add `aws.security.enabled: true` to your `atmos.yaml`"). + WithExitCode(2). + Err(), + }, nil + } + + opts := parseFindingsQueryParams(params) + + // Fetch and map findings. + fetcher := security.NewFindingFetcher(&atmosConfig, nil) + findings, err := fetcher.FetchFindings(ctx, &opts) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + if len(findings) == 0 { + return &tools.Result{ + Success: true, + Output: "No security findings match the specified filters.", + }, nil + } + + mapper := security.NewComponentMapper(&atmosConfig, nil) + findings, err = mapper.MapFindings(ctx, findings) + if err != nil { + return &tools.Result{Success: false, Error: err}, err + } + + output := formatFindingsOutput(findings) + data, _ := json.Marshal(findings) + + return &tools.Result{ + Success: true, + Output: output, + Data: map[string]interface{}{ + "total": len(findings), + "findings": string(data), + }, + }, nil +} + +// parseFindingsQueryParams extracts security query options from tool parameters. +func parseFindingsQueryParams(params map[string]interface{}) security.QueryOptions { + opts := security.QueryOptions{ + Source: security.SourceAll, + MaxFindings: defaultToolMaxFindings, + } + + if stack, ok := params["stack"].(string); ok && stack != "" { + opts.Stack = stack + } + if maxFindings, ok := params["max_findings"].(float64); ok && maxFindings > 0 { + opts.MaxFindings = int(maxFindings) + } + + opts.Severity = parseSeverityParam(params) + opts.Source = parseSourceParam(params, opts.Source) + + return opts +} + +// severityLookup maps severity strings to typed constants. +var severityLookup = map[string]security.Severity{ + "CRITICAL": security.SeverityCritical, + "HIGH": security.SeverityHigh, + "MEDIUM": security.SeverityMedium, + "LOW": security.SeverityLow, + "INFORMATIONAL": security.SeverityInformational, +} + +// parseSeverityParam parses the severity parameter from tool params. +func parseSeverityParam(params map[string]interface{}) []security.Severity { + severityStr := "CRITICAL,HIGH" + if s, ok := params["severity"].(string); ok && s != "" { + severityStr = s + } + + var severities []security.Severity + for _, s := range strings.Split(severityStr, ",") { + if sev, ok := severityLookup[strings.ToUpper(strings.TrimSpace(s))]; ok { + severities = append(severities, sev) + } + } + return severities +} + +// sourceLookup maps source strings to typed constants. +var sourceLookup = map[string]security.Source{ + "security-hub": security.SourceSecurityHub, + "config": security.SourceConfig, + "inspector": security.SourceInspector, + "guardduty": security.SourceGuardDuty, + "macie": security.SourceMacie, + "access-analyzer": security.SourceAccessAnalyzer, +} + +// parseSourceParam parses the source parameter from tool params. +func parseSourceParam(params map[string]interface{}, defaultSource security.Source) security.Source { + if source, ok := params["source"].(string); ok && source != "" { + if src, ok := sourceLookup[strings.ToLower(source)]; ok { + return src + } + } + return defaultSource +} + +// formatFindingsOutput creates a readable text summary of findings. +func formatFindingsOutput(findings []security.Finding) string { + var sb strings.Builder + fmt.Fprintf(&sb, "Security Findings (%d total):\n\n", len(findings)) + + for i := range findings { + f := &findings[i] + fmt.Fprintf(&sb, "%d. [%s] %s\n", i+1, f.Severity, f.Title) + fmt.Fprintf(&sb, " Resource: %s\n", f.ResourceARN) + fmt.Fprintf(&sb, " Source: %s\n", f.Source) + if f.Mapping != nil && f.Mapping.Mapped { + fmt.Fprintf(&sb, " Component: %s (stack: %s, confidence: %s)\n", + f.Mapping.Component, f.Mapping.Stack, f.Mapping.Confidence) + } + sb.WriteString("\n") + } + + return sb.String() +} + +// RequiresPermission returns whether this tool needs permission. +func (t *ListFindingsTool) RequiresPermission() bool { + return false +} + +// IsRestricted returns whether this tool is always restricted. +func (t *ListFindingsTool) IsRestricted() bool { + return false +} diff --git a/pkg/ai/tools/atmos/setup.go b/pkg/ai/tools/atmos/setup.go index 69d00dcb62..37ccd78a1f 100644 --- a/pkg/ai/tools/atmos/setup.go +++ b/pkg/ai/tools/atmos/setup.go @@ -35,6 +35,10 @@ func registerCoreTools(registry *tools.Registry, atmosConfig *schema.AtmosConfig NewSearchFilesTool(atmosConfig), NewListComponentFilesTool(atmosConfig), NewGetTemplateContextTool(atmosConfig), + NewListFindingsTool(atmosConfig), + NewDescribeFindingTool(atmosConfig), + NewAnalyzeFindingTool(atmosConfig), + NewComplianceReportTool(atmosConfig), } return registerAll(registry, coreTools) } diff --git a/pkg/aws/identity/identity.go b/pkg/aws/identity/identity.go index b4053d8fdd..b72c184c8d 100644 --- a/pkg/aws/identity/identity.go +++ b/pkg/aws/identity/identity.go @@ -324,3 +324,37 @@ func LoadConfig(ctx context.Context, region string, roleArn string, assumeRoleDu return LoadConfigWithAuth(ctx, region, roleArn, assumeRoleDuration, nil) } + +// ValidateAWSCredentials performs an early check that AWS credentials are available and valid. +// Uses STS GetCallerIdentity which is lightweight and always works if credentials are valid. +// If authCtx is provided, credentials from the Atmos Auth identity are used. + +// getCallerIdentityFn is the function used by ValidateAWSCredentials. Overridable in tests. +var getCallerIdentityFn = GetCallerIdentity + +func ValidateAWSCredentials(ctx context.Context, region string, authCtx *schema.AWSAuthContext) error { + defer perf.Track(nil, "identity.ValidateAWSCredentials")() + + log.Debug("Validating AWS credentials via STS GetCallerIdentity") + + callerIdentity, err := getCallerIdentityFn(ctx, region, "", 0, authCtx) + if err != nil { + hint := "Ensure AWS credentials are configured (e.g., via environment variables, ~/.aws/credentials, or SSO)" + if authCtx != nil { + hint = "Run `atmos auth login` to refresh credentials for the configured identity" + } + return errUtils.Build(errUtils.ErrAWSCredentialsNotValid). + WithExplanation(fmt.Sprintf("Unable to verify AWS credentials: %s", err)). + WithHint(hint). + WithHint("Run `aws sts get-caller-identity` to verify your credentials"). + WithExitCode(1). + Err() + } + + log.Debug("AWS credentials validated successfully", + "account", callerIdentity.Account, + "arn", callerIdentity.Arn, + ) + + return nil +} diff --git a/pkg/aws/identity/validate_test.go b/pkg/aws/identity/validate_test.go new file mode 100644 index 0000000000..747d8f9fbd --- /dev/null +++ b/pkg/aws/identity/validate_test.go @@ -0,0 +1,52 @@ +package identity + +import ( + "context" + "errors" + "testing" + "time" + + "github.com/stretchr/testify/require" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/schema" +) + +func TestValidateAWSCredentials_Success(t *testing.T) { + // Override the identity function to return success. + original := getCallerIdentityFn + getCallerIdentityFn = func(_ context.Context, _ string, _ string, _ time.Duration, _ *schema.AWSAuthContext) (*CallerIdentity, error) { + return &CallerIdentity{Account: "123456789012", Arn: "arn:aws:iam::123456789012:user/test"}, nil + } + t.Cleanup(func() { getCallerIdentityFn = original }) + + err := ValidateAWSCredentials(context.Background(), "us-east-1", nil) + require.NoError(t, err) +} + +func TestValidateAWSCredentials_Error_NoAuthCtx(t *testing.T) { + // Override to return error — no auth context gives default hint. + original := getCallerIdentityFn + getCallerIdentityFn = func(_ context.Context, _ string, _ string, _ time.Duration, _ *schema.AWSAuthContext) (*CallerIdentity, error) { + return nil, errors.New("no credentials found") + } + t.Cleanup(func() { getCallerIdentityFn = original }) + + err := ValidateAWSCredentials(context.Background(), "", nil) + require.Error(t, err) + require.ErrorIs(t, err, errUtils.ErrAWSCredentialsNotValid) +} + +func TestValidateAWSCredentials_Error_WithAuthCtx(t *testing.T) { + // Override to return error — with auth context. + original := getCallerIdentityFn + getCallerIdentityFn = func(_ context.Context, _ string, _ string, _ time.Duration, _ *schema.AWSAuthContext) (*CallerIdentity, error) { + return nil, errors.New("expired token") + } + t.Cleanup(func() { getCallerIdentityFn = original }) + + authCtx := &schema.AWSAuthContext{Profile: "test"} + err := ValidateAWSCredentials(context.Background(), "us-west-2", authCtx) + require.Error(t, err) + require.ErrorIs(t, err, errUtils.ErrAWSCredentialsNotValid) +} diff --git a/pkg/aws/security/analyzer.go b/pkg/aws/security/analyzer.go new file mode 100644 index 0000000000..194eeae2a8 --- /dev/null +++ b/pkg/aws/security/analyzer.go @@ -0,0 +1,518 @@ +package security + +import ( + "context" + _ "embed" + "errors" + "fmt" + "os" + "path/filepath" + "strings" + "time" + + errUtils "github.com/cloudposse/atmos/errors" + ai "github.com/cloudposse/atmos/pkg/ai" + "github.com/cloudposse/atmos/pkg/ai/registry" + "github.com/cloudposse/atmos/pkg/ai/tools" + "github.com/cloudposse/atmos/pkg/ai/types" + log "github.com/cloudposse/atmos/pkg/logger" + "github.com/cloudposse/atmos/pkg/perf" + "github.com/cloudposse/atmos/pkg/retry" + "github.com/cloudposse/atmos/pkg/schema" +) + +//go:embed markdown/skill_prompt.md +var skillPrompt string + +// FindingAnalyzer provides AI-powered analysis of security findings. +type FindingAnalyzer interface { + // AnalyzeFinding analyzes a single finding with component context. + AnalyzeFinding(ctx context.Context, finding *Finding, componentSource string, stackConfig string) (*Remediation, error) + + // AnalyzeFindings analyzes multiple findings in batch, grouping by component. + AnalyzeFindings(ctx context.Context, findings []Finding) ([]Finding, error) +} + +// maxAnalysisIterations is the maximum tool call iterations for multi-turn analysis. +const maxAnalysisIterations = 10 + +// AI retry configuration for transient errors (529 overload, timeouts). +const ( + aiRetryMaxAttempts = 3 + aiRetryBaseDelay = 2 * time.Second + aiRetryMaxDelay = 15 * time.Second + aiRetryJitter = 0.3 +) + +// aiAnalyzer implements FindingAnalyzer using an AI client for root cause analysis and remediation. +type aiAnalyzer struct { + client registry.Client + atmosConfig *schema.AtmosConfiguration + toolRegistry *tools.Registry // Tool registry for multi-turn analysis (API providers). + toolExecutor *tools.Executor // Tool executor for running tool calls. +} + +// NewFindingAnalyzer creates a FindingAnalyzer backed by the configured AI provider. +// If toolRegistry and toolExecutor are provided, API providers use multi-turn tool analysis. +// CLI providers always fall back to single-prompt mode with pre-fetched context. +func NewFindingAnalyzer(ctx context.Context, atmosConfig *schema.AtmosConfiguration, toolRegistry *tools.Registry, toolExecutor *tools.Executor) (FindingAnalyzer, error) { + defer perf.Track(nil, "security.NewFindingAnalyzer")() + + client, err := ai.NewClientWithContext(ctx, atmosConfig) + if err != nil { + return nil, fmt.Errorf("failed to create AI client for security analysis: %w", err) + } + + return &aiAnalyzer{ + client: client, + atmosConfig: atmosConfig, + toolRegistry: toolRegistry, + toolExecutor: toolExecutor, + }, nil +} + +// newFindingAnalyzerWithClient creates a FindingAnalyzer with a pre-built client (for testing). +func newFindingAnalyzerWithClient(client registry.Client, atmosConfig *schema.AtmosConfiguration) FindingAnalyzer { + return &aiAnalyzer{ + client: client, + atmosConfig: atmosConfig, + } +} + +// AnalyzeFinding analyzes a single finding with component context and returns AI-generated remediation. +// Retries automatically on transient errors (API overload, timeouts). +func (a *aiAnalyzer) AnalyzeFinding(ctx context.Context, finding *Finding, componentSource string, stackConfig string) (*Remediation, error) { + defer perf.Track(nil, "security.aiAnalyzer.AnalyzeFinding")() + + prompt := buildAnalysisPrompt(finding, componentSource, stackConfig) + + var result *Remediation + retryCfg := aiRetryConfig() + + err := retry.WithPredicate(ctx, &retryCfg, func() error { + var analyzeErr error + // Try multi-turn tool analysis for API providers. + if a.toolRegistry != nil && a.toolExecutor != nil { + result, analyzeErr = a.analyzeWithTools(ctx, finding, prompt) + } else { + // Fall back to single-prompt analysis (CLI providers or no tools). + result, analyzeErr = a.analyzeSimple(ctx, finding, prompt) + } + return analyzeErr + }, isRetryableAIError) + + return result, err +} + +// aiRetryConfig returns the retry configuration for AI analysis calls. +func aiRetryConfig() schema.RetryConfig { + maxAttempts := aiRetryMaxAttempts + baseDelay := aiRetryBaseDelay + maxDelay := aiRetryMaxDelay + multiplier := 2.0 + jitter := aiRetryJitter + return schema.RetryConfig{ + MaxAttempts: &maxAttempts, + BackoffStrategy: schema.BackoffExponential, + InitialDelay: &baseDelay, + MaxDelay: &maxDelay, + Multiplier: &multiplier, + RandomJitter: &jitter, + } +} + +// isRetryableAIError returns true for transient AI errors that warrant a retry. +func isRetryableAIError(err error) bool { + if err == nil { + return false + } + msg := err.Error() + // Anthropic 529 (overloaded). + if strings.Contains(msg, "529") || strings.Contains(msg, "overloaded") { + log.Debug("AI call failed with transient error, retrying", "error", msg) + return true + } + // Rate limit. + if strings.Contains(msg, "429") || strings.Contains(msg, "rate limit") { + log.Debug("AI call rate limited, retrying", "error", msg) + return true + } + // Server errors. + if strings.Contains(msg, "500") || strings.Contains(msg, "502") || strings.Contains(msg, "503") { + log.Debug("AI call got server error, retrying", "error", msg) + return true + } + return false +} + +// analyzeWithTools uses multi-turn tool execution for API providers. +// The AI can call atmos_describe_component, read_component_file, etc. to gather more data. +func (a *aiAnalyzer) analyzeWithTools(ctx context.Context, finding *Finding, prompt string) (*Remediation, error) { + availableTools := a.toolExecutor.ListTools() + if len(availableTools) == 0 { + return a.analyzeSimple(ctx, finding, prompt) + } + + log.Debug("Using multi-turn tool analysis", "tools", len(availableTools), "finding", finding.ID) + + messages := []types.Message{ + {Role: types.RoleUser, Content: prompt}, + } + + var finalResponse string + for iteration := 0; iteration < maxAnalysisIterations; iteration++ { + response, err := a.client.SendMessageWithSystemPromptAndTools(ctx, skillPrompt, "", messages, availableTools) + if err != nil { + // If tools are not supported (CLI provider), fall back to simple. + if isToolsNotSupported(err) { + log.Debug("Provider does not support tools, falling back to simple analysis") + return a.analyzeSimple(ctx, finding, prompt) + } + return nil, fmt.Errorf("AI analysis failed for finding %s (iteration %d): %w", finding.ID, iteration, err) + } + + // If the AI wants to call tools, execute them and continue. + if response.StopReason == types.StopReasonToolUse && len(response.ToolCalls) > 0 { + messages = a.handleToolCalls(ctx, response, messages) + continue + } + + // Final response — AI is done. + finalResponse = response.Content + break + } + + if finalResponse == "" { + return nil, fmt.Errorf("%w: empty response for finding %s", errUtils.ErrAWSSecurityAnalysisFailed, finding.ID) + } + + return parseRemediationResponse(finalResponse, finding), nil +} + +// handleToolCalls executes tool calls and appends results to the conversation. +func (a *aiAnalyzer) handleToolCalls(ctx context.Context, response *types.Response, messages []types.Message) []types.Message { + // Add the assistant's response (with tool calls) to history. + messages = append(messages, types.Message{ + Role: types.RoleAssistant, + Content: response.Content, + }) + + // Execute each tool call and add results. + for _, tc := range response.ToolCalls { + log.Debug("Executing tool call", "tool", tc.Name, "finding_analysis", true) + + result, err := a.toolExecutor.Execute(ctx, tc.Name, tc.Input) + var resultContent string + if err != nil { + resultContent = fmt.Sprintf("Tool execution failed: %s", err) + } else if result != nil { + resultContent = result.Output + } + + // Add tool result as a user message with tool call context. + messages = append(messages, types.Message{ + Role: types.RoleUser, + Content: fmt.Sprintf("[Tool result for %s (call %s)]\n\n%s", tc.Name, tc.ID, resultContent), + }) + } + + return messages +} + +// isToolsNotSupported checks if the error indicates the provider doesn't support tools. +func isToolsNotSupported(err error) bool { + return err != nil && (errors.Is(err, errUtils.ErrCLIProviderToolsNotSupported) || + strings.Contains(err.Error(), "not supported")) +} + +// analyzeSimple uses a single prompt with pre-fetched context (CLI providers or no tools). +func (a *aiAnalyzer) analyzeSimple(ctx context.Context, finding *Finding, prompt string) (*Remediation, error) { + response, err := a.client.SendMessage(ctx, skillPrompt+"\n\n---\n\n"+prompt) + if err != nil { + return nil, fmt.Errorf("AI analysis failed for finding %s: %w", finding.ID, err) + } + + return parseRemediationResponse(response, finding), nil +} + +// AnalyzeFindings analyzes multiple findings in batch, skipping unmapped findings. +// Duplicate findings (same title + component) are analyzed once and share the remediation. +func (a *aiAnalyzer) AnalyzeFindings(ctx context.Context, findings []Finding) ([]Finding, error) { + defer perf.Track(nil, "security.aiAnalyzer.AnalyzeFindings")() + + // Cache remediation results by dedup key to avoid redundant AI calls. + remediationCache := make(map[string]*Remediation) + + for i := range findings { + // Skip findings that are not mapped to a component. + if findings[i].Mapping == nil || !findings[i].Mapping.Mapped { + continue + } + + // Check if we already analyzed an identical finding (same title + component + stack). + key := findingDedupKey(&findings[i]) + if cached, ok := remediationCache[key]; ok { + log.Debug("Reusing cached AI analysis for duplicate finding", + "finding_id", findings[i].ID, "dedup_key", key) + findings[i].Remediation = cached + continue + } + + componentSource := readComponentSource(findings[i].Mapping.ComponentPath) + stackConfig := formatStackInfo(findings[i].Mapping) + + remediation, err := a.AnalyzeFinding(ctx, &findings[i], componentSource, stackConfig) + if err != nil { + // Log error but continue with remaining findings. + remediation = &Remediation{ + Description: fmt.Sprintf("AI analysis failed: %s", err.Error()), + RiskLevel: "unknown", + } + } + findings[i].Remediation = remediation + remediationCache[key] = remediation + } + + return findings, nil +} + +// findingDedupKey returns a key for deduplicating findings before AI analysis. +// Findings with the same title, component, and stack share the same root cause and remediation. +func findingDedupKey(f *Finding) string { + component := "" + stack := "" + if f.Mapping != nil { + component = f.Mapping.Component + stack = f.Mapping.Stack + } + return f.Title + "|" + component + "|" + stack +} + +// buildAnalysisPrompt constructs the data portion of the AI prompt for analyzing a security finding. +func buildAnalysisPrompt(finding *Finding, componentSource string, stackConfig string) string { + var sb strings.Builder + + sb.WriteString("Analyze this AWS security finding and provide structured remediation.\n\n") + sb.WriteString("You have access to Atmos tools. Use them to gather more context:\n") + sb.WriteString("- `atmos_describe_component` — get full resolved config for a component in a stack\n") + sb.WriteString("- `read_component_file` — read any file from a Terraform component\n") + sb.WriteString("- `read_stack_file` — read a stack configuration file\n") + sb.WriteString("- `atmos_list_stacks` — list all stacks\n\n") + + // Finding details. + sb.WriteString("## Security Finding\n\n") + fmt.Fprintf(&sb, "**ID:** %s\n", finding.ID) + fmt.Fprintf(&sb, "**Title:** %s\n", finding.Title) + fmt.Fprintf(&sb, "**Severity:** %s\n", finding.Severity) + fmt.Fprintf(&sb, "**Source:** %s\n", finding.Source) + fmt.Fprintf(&sb, "**Resource ARN:** %s\n", finding.ResourceARN) + fmt.Fprintf(&sb, "**Resource Type:** %s\n", finding.ResourceType) + fmt.Fprintf(&sb, "**Description:** %s\n\n", finding.Description) + + if finding.ComplianceStandard != "" { + fmt.Fprintf(&sb, "**Compliance Standard:** %s\n\n", finding.ComplianceStandard) + } + + // Component mapping info. + if finding.Mapping != nil && finding.Mapping.Mapped { + sb.WriteString("## Atmos Component Mapping\n\n") + fmt.Fprintf(&sb, "**Component:** %s\n", finding.Mapping.Component) + fmt.Fprintf(&sb, "**Stack:** %s\n", finding.Mapping.Stack) + if finding.Mapping.ComponentPath != "" { + fmt.Fprintf(&sb, "**Component Path:** %s\n", finding.Mapping.ComponentPath) + } + sb.WriteString("\n") + } + + // Component source code (pre-fetched for single-prompt mode). + if componentSource != "" { + sb.WriteString("## Component Source Code (Terraform)\n\n") + sb.WriteString("```hcl\n") + sb.WriteString(componentSource) + sb.WriteString("\n```\n\n") + } + + // Stack configuration (pre-fetched for single-prompt mode). + if stackConfig != "" { + sb.WriteString("## Stack Configuration\n\n") + sb.WriteString("```yaml\n") + sb.WriteString(stackConfig) + sb.WriteString("\n```\n\n") + } + + return sb.String() +} + +// parseRemediationResponse parses an AI response into a structured Remediation. +func parseRemediationResponse(response string, finding *Finding) *Remediation { + remediation := &Remediation{ + Description: response, + RootCause: extractFirstMatch(response, "### Root Cause", "**Root Cause:**", "Root Cause:"), + StackChanges: extractFirstMatch(response, "### Stack Changes"), + RiskLevel: normalizeRiskLevel(extractFirstMatch(response, "### Risk", "**Risk:**", "Risk:")), + DeployCommand: extractAtmosCommand(extractFirstMatch(response, "### Deploy", "**Deploy:**", "Deploy:")), + } + + // Parse steps from structured or legacy format. + if steps := extractFirstMatch(response, "### Steps", "**Remediation:**"); steps != "" { + remediation.Steps = parseListItems(steps) + } + + // Parse references. + if refs := extractFirstMatch(response, "### References"); refs != "" { + remediation.References = parseListItems(refs) + } + + // Fall back to constructing the deploy command from the mapping. + if remediation.DeployCommand == "" && finding.Mapping != nil && finding.Mapping.Mapped { + remediation.DeployCommand = fmt.Sprintf("atmos terraform apply %s -s %s", + finding.Mapping.Component, finding.Mapping.Stack) + } + + return remediation +} + +// extractFirstMatch tries multiple section headers and returns the first non-empty match. +func extractFirstMatch(text string, headers ...string) string { + for _, header := range headers { + if section := extractSection(text, header); section != "" { + return section + } + } + return "" +} + +// maxNumberedPrefixLen is the max digits before ". " in a numbered list item. +const maxNumberedPrefixLen = 5 + +// newlineSep is the newline separator used for splitting text. +const newlineSep = "\n" + +// parseListItems extracts items from numbered lists or bullet lists. +func parseListItems(text string) []string { + var items []string + for _, line := range strings.Split(text, newlineSep) { + if item := extractListItem(strings.TrimSpace(line)); item != "" { + items = append(items, item) + } + } + return items +} + +// extractListItem strips list prefixes from a line. Returns empty for non-list lines. +func extractListItem(line string) string { + if line == "" { + return "" + } + if len(line) > 2 && line[0] >= '0' && line[0] <= '9' { + if idx := strings.Index(line, ". "); idx != -1 && idx < maxNumberedPrefixLen { + return strings.TrimSpace(line[idx+2:]) + } + } + if strings.HasPrefix(line, "- ") || strings.HasPrefix(line, "* ") { + return strings.TrimSpace(line[2:]) + } + return "" +} + +// extractSection extracts text following a header up to the next section header. +func extractSection(text string, header string) string { + idx := strings.Index(text, header) + if idx == -1 { + return "" + } + + content := text[idx+len(header):] + endMarkers := []string{ + "### Root Cause", "### Steps", "### Code Changes", "### Stack Changes", + "### Deploy", "### Risk", "### References", + "**Root Cause:**", "**Remediation:**", "**Deploy:**", "**Risk:**", + "Root Cause:", "Remediation:", "Deploy:", "Risk:", + } + endIdx := len(content) + for _, marker := range endMarkers { + if marker == header { + continue + } + if markerIdx := strings.Index(content, marker); markerIdx != -1 && markerIdx < endIdx { + endIdx = markerIdx + } + } + + return strings.TrimSpace(content[:endIdx]) +} + +// extractAtmosCommand finds an atmos command in the text. +func extractAtmosCommand(text string) string { + lines := strings.Split(text, newlineSep) + for _, line := range lines { + line = strings.TrimSpace(line) + line = strings.Trim(line, "`") + line = strings.TrimSpace(line) + if strings.HasPrefix(line, "atmos ") { + return line + } + } + return strings.TrimSpace(text) +} + +// normalizeRiskLevel normalizes a risk level string to low, medium, or high. +func normalizeRiskLevel(text string) string { + lower := strings.ToLower(strings.TrimSpace(text)) + switch { + case strings.Contains(lower, "high"): + return "high" + case strings.Contains(lower, "medium"): + return "medium" + case strings.Contains(lower, "low"): + return "low" + default: + return strings.TrimSpace(text) + } +} + +// readComponentSource reads main.tf from a component path. +func readComponentSource(componentPath string) string { + if componentPath == "" { + return "" + } + mainTF := filepath.Join(componentPath, "main.tf") + content, err := readFileContent(mainTF) + if err != nil { + return "" + } + const maxSourceLength = 10000 + if len(content) > maxSourceLength { + content = content[:maxSourceLength] + "\n... (truncated)" + } + return content +} + +// readFileContent reads a file and returns its content as a string. +func readFileContent(path string) (string, error) { + cleanPath := filepath.Clean(path) + data, err := readFile(cleanPath) + if err != nil { + return "", err + } + return string(data), nil +} + +// readFile is a variable to allow test overrides. +var readFile = os.ReadFile + +// formatStackInfo formats component mapping into a stack configuration summary. +func formatStackInfo(mapping *ComponentMapping) string { + if mapping == nil { + return "" + } + var sb strings.Builder + fmt.Fprintf(&sb, "component: %s\n", mapping.Component) + fmt.Fprintf(&sb, "stack: %s\n", mapping.Stack) + if mapping.Workspace != "" { + fmt.Fprintf(&sb, "workspace: %s\n", mapping.Workspace) + } + fmt.Fprintf(&sb, "confidence: %s\n", mapping.Confidence) + fmt.Fprintf(&sb, "method: %s\n", mapping.Method) + return sb.String() +} diff --git a/pkg/aws/security/analyzer_test.go b/pkg/aws/security/analyzer_test.go new file mode 100644 index 0000000000..9c57590a4e --- /dev/null +++ b/pkg/aws/security/analyzer_test.go @@ -0,0 +1,1224 @@ +package security + +import ( + "context" + "encoding/json" + "errors" + "fmt" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/ai/tools" + "github.com/cloudposse/atmos/pkg/ai/types" + "github.com/cloudposse/atmos/pkg/schema" +) + +// mockAIClient implements registry.Client for testing. +type mockAIClient struct { + response string + err error +} + +func (m *mockAIClient) SendMessage(_ context.Context, _ string) (string, error) { + return m.response, m.err +} + +func (m *mockAIClient) SendMessageWithTools(_ context.Context, _ string, _ []tools.Tool) (*types.Response, error) { + return &types.Response{Content: m.response}, m.err +} + +func (m *mockAIClient) SendMessageWithHistory(_ context.Context, _ []types.Message) (string, error) { + return m.response, m.err +} + +func (m *mockAIClient) SendMessageWithToolsAndHistory(_ context.Context, _ []types.Message, _ []tools.Tool) (*types.Response, error) { + return &types.Response{Content: m.response}, m.err +} + +func (m *mockAIClient) SendMessageWithSystemPromptAndTools(_ context.Context, _ string, _ string, _ []types.Message, _ []tools.Tool) (*types.Response, error) { + return &types.Response{Content: m.response}, m.err +} + +func (m *mockAIClient) GetModel() string { + return "test-model" +} + +func (m *mockAIClient) GetMaxTokens() int { + return 4096 +} + +func TestAnalyzeFinding_Success(t *testing.T) { + mockResponse := `**Root Cause:** The S3 bucket does not have server-side encryption enabled in the Terraform configuration. + +**Remediation:** Add an aws_s3_bucket_server_side_encryption_configuration resource to the component source code. + +**Deploy:** ` + "`atmos terraform apply s3-bucket -s ue2-dev`" + ` + +**Risk:** Low - enabling encryption is a non-destructive change.` + + client := &mockAIClient{response: mockResponse} + analyzer := newFindingAnalyzerWithClient(client, &schema.AtmosConfiguration{}) + + finding := &Finding{ + ID: "finding-001", + Title: "S3 bucket without encryption", + Description: "The S3 bucket does not have encryption enabled.", + Severity: SeverityHigh, + Source: SourceSecurityHub, + ResourceARN: "arn:aws:s3:::my-bucket", + Mapping: &ComponentMapping{ + Component: "s3-bucket", + Stack: "ue2-dev", + Mapped: true, + }, + } + + remediation, err := analyzer.AnalyzeFinding(context.Background(), finding, "resource \"aws_s3_bucket\" {}", "component: s3-bucket") + require.NoError(t, err) + assert.NotNil(t, remediation) + assert.Contains(t, remediation.Description, "Root Cause:") + assert.Contains(t, remediation.RootCause, "S3 bucket") + assert.Equal(t, "atmos terraform apply s3-bucket -s ue2-dev", remediation.DeployCommand) + assert.Equal(t, "low", remediation.RiskLevel) +} + +func TestAnalyzeFinding_AIError(t *testing.T) { + client := &mockAIClient{err: errors.New("AI provider unavailable")} + analyzer := newFindingAnalyzerWithClient(client, &schema.AtmosConfiguration{}) + + finding := &Finding{ + ID: "finding-002", + Title: "Test finding", + Severity: SeverityMedium, + } + + remediation, err := analyzer.AnalyzeFinding(context.Background(), finding, "", "") + assert.Error(t, err) + assert.Nil(t, remediation) + assert.Contains(t, err.Error(), "AI analysis failed") + assert.Contains(t, err.Error(), "AI provider unavailable") +} + +func TestBuildAnalysisPrompt(t *testing.T) { + finding := &Finding{ + ID: "finding-003", + Title: "Unencrypted EBS volume", + Description: "EBS volume is not encrypted.", + Severity: SeverityCritical, + Source: SourceInspector, + ResourceARN: "arn:aws:ec2:us-east-1:123456789012:volume/vol-abc123", + ResourceType: "AwsEc2Volume", + ComplianceStandard: "CIS AWS 1.4", + Mapping: &ComponentMapping{ + Component: "ebs-volume", + Stack: "ue1-prod", + ComponentPath: "/components/terraform/ebs-volume", + Mapped: true, + }, + } + + prompt := buildAnalysisPrompt(finding, "resource \"aws_ebs_volume\" {}", "component: ebs-volume\nstack: ue1-prod") + + // Verify prompt contains finding details. + assert.Contains(t, prompt, "finding-003") + assert.Contains(t, prompt, "Unencrypted EBS volume") + assert.Contains(t, prompt, "CRITICAL") + assert.Contains(t, prompt, "inspector") + assert.Contains(t, prompt, "AwsEc2Volume") + assert.Contains(t, prompt, "CIS AWS 1.4") + + // Verify prompt contains component source. + assert.Contains(t, prompt, "aws_ebs_volume") + + // Verify prompt contains stack config. + assert.Contains(t, prompt, "component: ebs-volume") + assert.Contains(t, prompt, "stack: ue1-prod") + + // Verify prompt contains structured analysis request. + assert.Contains(t, prompt, "Analyze this AWS security finding") + assert.Contains(t, prompt, "structured remediation") +} + +func TestBuildAnalysisPrompt_NoMapping(t *testing.T) { + finding := &Finding{ + ID: "finding-004", + Title: "Open security group", + Description: "Security group allows unrestricted ingress.", + Severity: SeverityHigh, + Source: SourceSecurityHub, + ResourceARN: "arn:aws:ec2:us-east-1:123456789012:security-group/sg-123", + } + + prompt := buildAnalysisPrompt(finding, "", "") + + // Should not contain component mapping section. + assert.NotContains(t, prompt, "## Atmos Component Mapping") + assert.NotContains(t, prompt, "## Component Source Code") + assert.NotContains(t, prompt, "## Stack Configuration") +} + +func TestParseRemediationResponse(t *testing.T) { + tests := []struct { + name string + response string + expectedRoot string + expectedDeploy string + expectedRisk string + }{ + { + name: "full structured response with bold headers", + response: `**Root Cause:** Missing encryption configuration in the S3 bucket resource. + +**Remediation:** Add server-side encryption block to the Terraform config. + +**Deploy:** ` + "`atmos terraform apply s3-bucket -s ue2-dev`" + ` + +**Risk:** Low - non-destructive change.`, + expectedRoot: "Missing encryption configuration in the S3 bucket resource.", + expectedDeploy: "atmos terraform apply s3-bucket -s ue2-dev", + expectedRisk: "low", + }, + { + name: "plain headers", + response: `Root Cause: IAM policy is too permissive. + +Remediation: Restrict the IAM policy to specific resources. + +Deploy: atmos terraform apply iam-role -s ue1-prod + +Risk: High - changing IAM policies can break access.`, + expectedRoot: "IAM policy is too permissive.", + expectedDeploy: "atmos terraform apply iam-role -s ue1-prod", + expectedRisk: "high", + }, + { + name: "unstructured response", + response: "This finding indicates a misconfigured security group. You should restrict ingress rules.", + expectedRoot: "", + expectedDeploy: "atmos terraform apply sg -s ue2-staging", + expectedRisk: "", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + finding := &Finding{ + ID: "test-finding", + Mapping: &ComponentMapping{ + Component: "sg", + Stack: "ue2-staging", + Mapped: true, + }, + } + + remediation := parseRemediationResponse(tt.response, finding) + + assert.Equal(t, tt.response, remediation.Description) + + if tt.expectedRoot != "" { + assert.Equal(t, tt.expectedRoot, remediation.RootCause) + } + + assert.Equal(t, tt.expectedDeploy, remediation.DeployCommand) + + if tt.expectedRisk != "" { + assert.Equal(t, tt.expectedRisk, remediation.RiskLevel) + } + }) + } +} + +func TestAnalyzeFindings_SkipsUnmapped(t *testing.T) { + callCount := 0 + client := &mockAIClient{ + response: "**Root Cause:** Test\n\n**Risk:** Low", + } + + // Override SendMessage to count calls. + originalSend := client.response + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + } + + // Override readFile to avoid filesystem access. + originalReadFile := readFile + readFile = func(_ string) ([]byte, error) { + return []byte("resource \"aws_s3_bucket\" {}"), nil + } + t.Cleanup(func() { readFile = originalReadFile }) + + // Create a counting wrapper. + countingClient := &countingMockClient{ + inner: client, + callCount: &callCount, + } + analyzer.client = countingClient + _ = originalSend + + findings := []Finding{ + { + ID: "mapped-finding", + Title: "Mapped finding", + Severity: SeverityHigh, + Mapping: &ComponentMapping{ + Component: "vpc", + Stack: "ue2-dev", + ComponentPath: "/components/terraform/vpc", + Mapped: true, + }, + }, + { + ID: "unmapped-finding", + Title: "Unmapped finding", + Severity: SeverityMedium, + Mapping: &ComponentMapping{ + Mapped: false, + }, + }, + { + ID: "nil-mapping-finding", + Title: "No mapping at all", + Severity: SeverityLow, + // Mapping is nil. + }, + } + + result, err := analyzer.AnalyzeFindings(context.Background(), findings) + require.NoError(t, err) + assert.Len(t, result, 3) + + // Only the mapped finding should have been sent to AI. + assert.Equal(t, 1, *countingClient.callCount) + + // Mapped finding should have remediation. + assert.NotNil(t, result[0].Remediation) + + // Unmapped findings should not have remediation. + assert.Nil(t, result[1].Remediation) + assert.Nil(t, result[2].Remediation) +} + +// countingMockClient wraps a mockAIClient and counts SendMessage calls. +type countingMockClient struct { + inner *mockAIClient + callCount *int +} + +func (c *countingMockClient) SendMessage(ctx context.Context, message string) (string, error) { + *c.callCount++ + return c.inner.SendMessage(ctx, message) +} + +func (c *countingMockClient) SendMessageWithTools(ctx context.Context, message string, availableTools []tools.Tool) (*types.Response, error) { + return c.inner.SendMessageWithTools(ctx, message, availableTools) +} + +func (c *countingMockClient) SendMessageWithHistory(ctx context.Context, messages []types.Message) (string, error) { + return c.inner.SendMessageWithHistory(ctx, messages) +} + +func (c *countingMockClient) SendMessageWithToolsAndHistory(ctx context.Context, messages []types.Message, availableTools []tools.Tool) (*types.Response, error) { + return c.inner.SendMessageWithToolsAndHistory(ctx, messages, availableTools) +} + +func (c *countingMockClient) SendMessageWithSystemPromptAndTools(ctx context.Context, systemPrompt string, atmosMemory string, messages []types.Message, availableTools []tools.Tool) (*types.Response, error) { + return c.inner.SendMessageWithSystemPromptAndTools(ctx, systemPrompt, atmosMemory, messages, availableTools) +} + +func (c *countingMockClient) GetModel() string { + return c.inner.GetModel() +} + +func (c *countingMockClient) GetMaxTokens() int { + return c.inner.GetMaxTokens() +} + +func TestReadComponentSource(t *testing.T) { + // Override readFile for testing. + originalReadFile := readFile + t.Cleanup(func() { readFile = originalReadFile }) + + t.Run("empty path returns empty string", func(t *testing.T) { + result := readComponentSource("") + assert.Empty(t, result) + }) + + t.Run("reads main.tf content", func(t *testing.T) { + compPath := filepath.Join("components", "terraform", "vpc") + expectedPath := filepath.Join(compPath, "main.tf") + readFile = func(path string) ([]byte, error) { + if filepath.Clean(path) == filepath.Clean(expectedPath) { + return []byte("resource \"aws_vpc\" \"main\" {}"), nil + } + return nil, os.ErrNotExist + } + + result := readComponentSource(compPath) + assert.Equal(t, "resource \"aws_vpc\" \"main\" {}", result) + }) + + t.Run("returns empty on file not found", func(t *testing.T) { + readFile = func(_ string) ([]byte, error) { + return nil, os.ErrNotExist + } + + result := readComponentSource(filepath.Join("nonexistent", "path")) + assert.Empty(t, result) + }) + + t.Run("truncates large files", func(t *testing.T) { + largeContent := make([]byte, 15000) + for i := range largeContent { + largeContent[i] = 'a' + } + readFile = func(_ string) ([]byte, error) { + return largeContent, nil + } + + result := readComponentSource(filepath.Join("components", "terraform", "large")) + assert.Contains(t, result, "... (truncated)") + assert.Less(t, len(result), 15000) + }) +} + +func TestFormatStackInfo(t *testing.T) { + t.Run("nil mapping returns empty", func(t *testing.T) { + result := formatStackInfo(nil) + assert.Empty(t, result) + }) + + t.Run("formats mapping with all fields", func(t *testing.T) { + mapping := &ComponentMapping{ + Component: "vpc", + Stack: "ue2-dev", + Workspace: "dev", + Confidence: ConfidenceExact, + Method: "tag", + } + + result := formatStackInfo(mapping) + assert.Contains(t, result, "component: vpc") + assert.Contains(t, result, "stack: ue2-dev") + assert.Contains(t, result, "workspace: dev") + assert.Contains(t, result, "confidence: exact") + assert.Contains(t, result, "method: tag") + }) + + t.Run("omits workspace when empty", func(t *testing.T) { + mapping := &ComponentMapping{ + Component: "s3", + Stack: "ue1-prod", + Confidence: ConfidenceHigh, + Method: "state", + } + + result := formatStackInfo(mapping) + assert.NotContains(t, result, "workspace:") + }) +} + +func TestExtractSection(t *testing.T) { + text := `**Root Cause:** The bucket is public. + +**Remediation:** Set the bucket ACL to private. + +**Deploy:** atmos terraform apply s3 -s ue2-dev + +**Risk:** Medium` + + rootCause := extractSection(text, "**Root Cause:**") + assert.Equal(t, "The bucket is public.", rootCause) + + deploy := extractSection(text, "**Deploy:**") + assert.Equal(t, "atmos terraform apply s3 -s ue2-dev", deploy) + + risk := extractSection(text, "**Risk:**") + assert.Equal(t, "Medium", risk) + + missing := extractSection(text, "**Missing:**") + assert.Empty(t, missing) +} + +func TestNormalizeRiskLevel(t *testing.T) { + assert.Equal(t, "low", normalizeRiskLevel("Low - non-destructive")) + assert.Equal(t, "medium", normalizeRiskLevel("Medium risk")) + assert.Equal(t, "high", normalizeRiskLevel("HIGH - critical change")) + assert.Equal(t, "minimal", normalizeRiskLevel("minimal")) +} + +func TestExtractAtmosCommand(t *testing.T) { + assert.Equal(t, "atmos terraform apply vpc -s ue2-dev", extractAtmosCommand("`atmos terraform apply vpc -s ue2-dev`")) + assert.Equal(t, "atmos terraform apply s3 -s ue1-prod", extractAtmosCommand("Run:\natmos terraform apply s3 -s ue1-prod\nto deploy")) + assert.Equal(t, "just some text", extractAtmosCommand("just some text")) +} + +func TestSkillPromptEmbedded(t *testing.T) { + // Verify the skill prompt is embedded and contains key instructions. + assert.NotEmpty(t, skillPrompt) + assert.Contains(t, skillPrompt, "### Root Cause") + assert.Contains(t, skillPrompt, "### Steps") + assert.Contains(t, skillPrompt, "### Code Changes") + assert.Contains(t, skillPrompt, "### Stack Changes") + assert.Contains(t, skillPrompt, "### Deploy") + assert.Contains(t, skillPrompt, "### Risk") + assert.Contains(t, skillPrompt, "### References") +} + +func TestParseNumberedList(t *testing.T) { + tests := []struct { + name string + input string + expected []string + }{ + { + name: "numbered list", + input: "1. First step\n2. Second step\n3. Third step", + expected: []string{"First step", "Second step", "Third step"}, + }, + { + name: "bullet list", + input: "- First item\n- Second item", + expected: []string{"First item", "Second item"}, + }, + { + name: "asterisk list", + input: "* Item A\n* Item B", + expected: []string{"Item A", "Item B"}, + }, + { + name: "mixed with blank lines", + input: "1. First\n\n2. Second\n\n3. Third", + expected: []string{"First", "Second", "Third"}, + }, + { + name: "empty input", + input: "", + expected: nil, + }, + { + name: "no list format", + input: "Just plain text\nMore text", + expected: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := parseListItems(tt.input) + assert.Equal(t, tt.expected, result) + }) + } +} + +func TestParseReferenceList(t *testing.T) { + input := "- https://docs.aws.amazon.com/s3\n- CIS AWS 1.4 Control 2.1\n- https://example.com" + refs := parseListItems(input) + require.Len(t, refs, 3) + assert.Equal(t, "https://docs.aws.amazon.com/s3", refs[0]) + assert.Equal(t, "CIS AWS 1.4 Control 2.1", refs[1]) +} + +func TestParseRemediationResponse_StructuredFormat(t *testing.T) { + response := `### Root Cause + +The S3 bucket does not have versioning enabled because the component does not set the versioning variable. + +### Steps + +1. Add versioning_enabled variable to the stack configuration +2. Apply the change with atmos + +### Code Changes + +No code changes needed — versioning is controlled by a stack variable. + +### Stack Changes + +` + "```yaml\ncomponents:\n terraform:\n s3-bucket:\n vars:\n versioning_enabled: true\n```" + ` + +### Deploy + +` + "```\natmos terraform apply s3-bucket -s prod-us-east-1\n```" + ` + +### Risk + +low + +### References + +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html +- CIS AWS Foundations Benchmark v1.4 - Control 2.1.1` + + finding := &Finding{ + ID: "test-001", + Mapping: &ComponentMapping{ + Component: "s3-bucket", + Stack: "prod-us-east-1", + Mapped: true, + }, + } + + remediation := parseRemediationResponse(response, finding) + + assert.Contains(t, remediation.RootCause, "versioning enabled") + require.Len(t, remediation.Steps, 2) + assert.Equal(t, "Add versioning_enabled variable to the stack configuration", remediation.Steps[0]) + assert.Contains(t, remediation.StackChanges, "versioning_enabled: true") + assert.Equal(t, "atmos terraform apply s3-bucket -s prod-us-east-1", remediation.DeployCommand) + assert.Equal(t, "low", remediation.RiskLevel) + require.Len(t, remediation.References, 2) + assert.Contains(t, remediation.References[0], "docs.aws.amazon.com") +} + +func TestParseRemediationResponse_FallbackFormat(t *testing.T) { + // Old format with bold markers still works. + response := `**Root Cause:** Missing encryption config. + +**Remediation:** Add encryption. + +**Deploy:** ` + "`atmos terraform apply vpc -s prod`" + ` + +**Risk:** Low` + + finding := &Finding{ + ID: "test-002", + Mapping: &ComponentMapping{ + Component: "vpc", + Stack: "prod", + Mapped: true, + }, + } + + remediation := parseRemediationResponse(response, finding) + + assert.Contains(t, remediation.RootCause, "Missing encryption") + assert.Equal(t, "atmos terraform apply vpc -s prod", remediation.DeployCommand) + assert.Equal(t, "low", remediation.RiskLevel) +} + +func TestRemediationSchema_JSONRoundTrip(t *testing.T) { + // Verify the schema survives JSON round-trip with all fields. + remediation := Remediation{ + Description: "Fix S3 versioning", + RootCause: "Versioning not enabled", + Steps: []string{"Update stack vars", "Apply change"}, + CodeChanges: []CodeChange{{FilePath: "main.tf", Before: "old", After: "new"}}, + StackChanges: "vars:\n versioning_enabled: true", + DeployCommand: "atmos terraform apply s3-bucket -s prod", + RiskLevel: "low", + References: []string{"https://docs.aws.amazon.com/s3"}, + } + + data, err := json.Marshal(remediation) + require.NoError(t, err) + + var decoded Remediation + require.NoError(t, json.Unmarshal(data, &decoded)) + + assert.Equal(t, remediation.Description, decoded.Description) + assert.Equal(t, remediation.RootCause, decoded.RootCause) + assert.Equal(t, remediation.Steps, decoded.Steps) + assert.Equal(t, remediation.StackChanges, decoded.StackChanges) + assert.Equal(t, remediation.DeployCommand, decoded.DeployCommand) + assert.Equal(t, remediation.RiskLevel, decoded.RiskLevel) + assert.Equal(t, remediation.References, decoded.References) + require.Len(t, decoded.CodeChanges, 1) +} + +// mockToolAwareClient simulates an API provider that supports tools. +type mockToolAwareClient struct { + responses []string // Responses for each iteration. + callIdx int +} + +func (m *mockToolAwareClient) SendMessage(_ context.Context, _ string) (string, error) { + return m.currentResponse(), nil +} + +func (m *mockToolAwareClient) SendMessageWithTools(_ context.Context, _ string, _ []tools.Tool) (*types.Response, error) { + return &types.Response{Content: m.currentResponse()}, nil +} + +func (m *mockToolAwareClient) SendMessageWithHistory(_ context.Context, _ []types.Message) (string, error) { + return m.currentResponse(), nil +} + +func (m *mockToolAwareClient) SendMessageWithToolsAndHistory(_ context.Context, _ []types.Message, _ []tools.Tool) (*types.Response, error) { + return &types.Response{Content: m.currentResponse()}, nil +} + +func (m *mockToolAwareClient) SendMessageWithSystemPromptAndTools(_ context.Context, _ string, _ string, _ []types.Message, _ []tools.Tool) (*types.Response, error) { + resp := m.currentResponse() + m.callIdx++ + return &types.Response{Content: resp, StopReason: types.StopReasonEndTurn}, nil +} + +func (m *mockToolAwareClient) GetModel() string { return "test-api-model" } +func (m *mockToolAwareClient) GetMaxTokens() int { return 4096 } + +func (m *mockToolAwareClient) currentResponse() string { + if m.callIdx < len(m.responses) { + return m.responses[m.callIdx] + } + return "" +} + +// mockCLIClient simulates a CLI provider that rejects tools. +type mockCLIClient struct { + response string +} + +func (m *mockCLIClient) SendMessage(_ context.Context, _ string) (string, error) { + return m.response, nil +} + +func (m *mockCLIClient) SendMessageWithTools(_ context.Context, _ string, _ []tools.Tool) (*types.Response, error) { + return nil, errUtils.ErrCLIProviderToolsNotSupported +} + +func (m *mockCLIClient) SendMessageWithHistory(_ context.Context, _ []types.Message) (string, error) { + return m.response, nil +} + +func (m *mockCLIClient) SendMessageWithToolsAndHistory(_ context.Context, _ []types.Message, _ []tools.Tool) (*types.Response, error) { + return nil, errUtils.ErrCLIProviderToolsNotSupported +} + +func (m *mockCLIClient) SendMessageWithSystemPromptAndTools(_ context.Context, _ string, _ string, _ []types.Message, _ []tools.Tool) (*types.Response, error) { + return nil, errUtils.ErrCLIProviderToolsNotSupported +} + +func (m *mockCLIClient) GetModel() string { return "claude-code" } +func (m *mockCLIClient) GetMaxTokens() int { return 0 } + +func TestAnalyzeWithTools_APIProvider(t *testing.T) { + client := &mockToolAwareClient{ + responses: []string{"### Root Cause\n\nMissing encryption.\n\n### Risk\n\nlow"}, + } + + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + // No tool registry — should still work (falls back to simple). + } + + finding := &Finding{ + ID: "tool-test-001", + Title: "Test finding", + Mapping: &ComponentMapping{ + Component: "vpc", + Stack: "prod", + Mapped: true, + }, + } + + remediation, err := analyzer.AnalyzeFinding(context.Background(), finding, "", "") + require.NoError(t, err) + assert.Contains(t, remediation.RootCause, "Missing encryption") + assert.Equal(t, "low", remediation.RiskLevel) +} + +func TestAnalyzeWithTools_CLIProviderFallback(t *testing.T) { + client := &mockCLIClient{ + response: "### Root Cause\n\nBucket is public.\n\n### Deploy\n\n`atmos terraform apply s3 -s prod`\n\n### Risk\n\nhigh", + } + + // Create a minimal tool registry to trigger the tools path. + reg := tools.NewRegistry() + executor := tools.NewExecutor(reg, nil, 0) + + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + toolRegistry: reg, + toolExecutor: executor, + } + + finding := &Finding{ + ID: "cli-test-001", + Title: "S3 public bucket", + Mapping: &ComponentMapping{ + Component: "s3", + Stack: "prod", + Mapped: true, + }, + } + + // CLI provider rejects tools → falls back to simple. + remediation, err := analyzer.AnalyzeFinding(context.Background(), finding, "", "") + require.NoError(t, err) + assert.Contains(t, remediation.RootCause, "Bucket is public") + assert.Equal(t, "atmos terraform apply s3 -s prod", remediation.DeployCommand) + assert.Equal(t, "high", remediation.RiskLevel) +} + +func TestIsToolsNotSupported(t *testing.T) { + assert.True(t, isToolsNotSupported(errUtils.ErrCLIProviderToolsNotSupported)) + assert.True(t, isToolsNotSupported(fmt.Errorf("tools not supported"))) + assert.False(t, isToolsNotSupported(nil)) + assert.False(t, isToolsNotSupported(fmt.Errorf("some other error"))) +} + +func TestAnalyzeSimple_Fallback(t *testing.T) { + client := &mockAIClient{response: "Simple analysis response."} + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + } + + finding := &Finding{ID: "simple-001", Title: "Test"} + remediation, err := analyzer.analyzeSimple(context.Background(), finding, "test prompt") + require.NoError(t, err) + assert.Contains(t, remediation.Description, "Simple analysis response") +} + +func TestFindingDedupKey(t *testing.T) { + tests := []struct { + name string + finding *Finding + expected string + }{ + { + name: "with mapping", + finding: &Finding{ + Title: "Open SG", + Mapping: &ComponentMapping{ + Component: "vpc", + Stack: "ue2-dev", + }, + }, + expected: "Open SG|vpc|ue2-dev", + }, + { + name: "nil mapping", + finding: &Finding{ + Title: "No mapping", + }, + expected: "No mapping||", + }, + { + name: "same title different component", + finding: &Finding{ + Title: "Open SG", + Mapping: &ComponentMapping{ + Component: "rds", + Stack: "ue2-dev", + }, + }, + expected: "Open SG|rds|ue2-dev", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equal(t, tt.expected, findingDedupKey(tt.finding)) + }) + } +} + +func TestAnalyzeFindings_DeduplicatesSameTitle(t *testing.T) { + callCount := 0 + client := &mockAIClient{ + response: "**Root Cause:** Open security group\n\n**Risk:** High", + } + + // Override readFile to avoid filesystem access. + originalReadFile := readFile + readFile = func(_ string) ([]byte, error) { + return []byte("resource \"aws_security_group\" {}"), nil + } + t.Cleanup(func() { readFile = originalReadFile }) + + countingClient := &countingMockClient{ + inner: client, + callCount: &callCount, + } + analyzer := &aiAnalyzer{ + client: countingClient, + atmosConfig: &schema.AtmosConfiguration{}, + } + + // 4 findings with the same title and component — should only trigger 1 AI call. + findings := []Finding{ + { + ID: "finding-1", + Title: "EC2.18 Security groups should only allow unrestricted incoming traffic", + Mapping: &ComponentMapping{ + Component: "rds/example", + Stack: "plat-use2-dev", + ComponentPath: "/components/terraform/rds", + Mapped: true, + }, + }, + { + ID: "finding-2", + Title: "EC2.18 Security groups should only allow unrestricted incoming traffic", + Mapping: &ComponentMapping{ + Component: "rds/example", + Stack: "plat-use2-dev", + ComponentPath: "/components/terraform/rds", + Mapped: true, + }, + }, + { + ID: "finding-3", + Title: "EC2.18 Security groups should only allow unrestricted incoming traffic", + Mapping: &ComponentMapping{ + Component: "rds/example", + Stack: "plat-use2-dev", + ComponentPath: "/components/terraform/rds", + Mapped: true, + }, + }, + { + ID: "finding-4", + Title: "EC2.18 Security groups should only allow unrestricted incoming traffic", + Mapping: &ComponentMapping{ + Component: "rds/example", + Stack: "plat-use2-dev", + ComponentPath: "/components/terraform/rds", + Mapped: true, + }, + }, + } + + result, err := analyzer.AnalyzeFindings(context.Background(), findings) + require.NoError(t, err) + assert.Len(t, result, 4) + + // Only 1 AI call should have been made despite 4 findings. + assert.Equal(t, 1, callCount) + + // All findings should share the same remediation. + for i := range result { + require.NotNil(t, result[i].Remediation, "finding %d should have remediation", i) + assert.Contains(t, result[i].Remediation.RootCause, "Open security group") + } +} + +func TestAnalyzeFindings_DifferentTitlesAnalyzedSeparately(t *testing.T) { + callCount := 0 + client := &mockAIClient{ + response: "**Root Cause:** Test\n\n**Risk:** Low", + } + + originalReadFile := readFile + readFile = func(_ string) ([]byte, error) { + return []byte("resource \"aws_s3_bucket\" {}"), nil + } + t.Cleanup(func() { readFile = originalReadFile }) + + countingClient := &countingMockClient{ + inner: client, + callCount: &callCount, + } + analyzer := &aiAnalyzer{ + client: countingClient, + atmosConfig: &schema.AtmosConfiguration{}, + } + + // 2 findings with different titles — should trigger 2 AI calls. + findings := []Finding{ + { + ID: "finding-a", + Title: "S3 bucket without encryption", + Mapping: &ComponentMapping{ + Component: "s3-bucket", + Stack: "ue2-dev", + ComponentPath: "/components/terraform/s3", + Mapped: true, + }, + }, + { + ID: "finding-b", + Title: "S3 bucket without versioning", + Mapping: &ComponentMapping{ + Component: "s3-bucket", + Stack: "ue2-dev", + ComponentPath: "/components/terraform/s3", + Mapped: true, + }, + }, + } + + result, err := analyzer.AnalyzeFindings(context.Background(), findings) + require.NoError(t, err) + assert.Len(t, result, 2) + assert.Equal(t, 2, callCount) +} + +func TestIsRetryableAIError(t *testing.T) { + tests := []struct { + name string + err error + expected bool + }{ + {name: "nil error", err: nil, expected: false}, + {name: "529 overloaded", err: fmt.Errorf("status 529: overloaded"), expected: true}, + {name: "overloaded message", err: fmt.Errorf("API is overloaded"), expected: true}, + {name: "429 rate limit", err: fmt.Errorf("status 429: rate limit exceeded"), expected: true}, + {name: "rate limit text", err: fmt.Errorf("rate limit exceeded"), expected: true}, + {name: "500 server error", err: fmt.Errorf("status 500"), expected: true}, + {name: "502 bad gateway", err: fmt.Errorf("status 502"), expected: true}, + {name: "503 unavailable", err: fmt.Errorf("status 503"), expected: true}, + {name: "auth error", err: fmt.Errorf("status 401: unauthorized"), expected: false}, + {name: "bad request", err: fmt.Errorf("status 400: bad request"), expected: false}, + {name: "generic error", err: fmt.Errorf("something went wrong"), expected: false}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equal(t, tt.expected, isRetryableAIError(tt.err)) + }) + } +} + +func TestAnalyzeWithTools_ToolCallLoop(t *testing.T) { + // Simulate a client that first requests a tool call, then returns final response. + callIdx := 0 + toolCallClient := &toolCallMockClient{ + inner: &mockToolAwareClient{ + responses: []string{ + "", // First call: tool use (content ignored). + "### Root Cause\n\nOpen SG.\n\n### Risk\n\nlow", // Second call: final response. + }, + }, + callIdx: &callIdx, + } + + // Create a mock executor that returns a dummy tool list but handles Execute gracefully. + analyzer := &aiAnalyzer{ + client: toolCallClient, + atmosConfig: &schema.AtmosConfiguration{}, + toolRegistry: nil, + toolExecutor: nil, + } + + finding := &Finding{ + ID: "tool-loop-001", + Title: "Test tool loop", + Mapping: &ComponentMapping{ + Component: "vpc", + Stack: "prod", + Mapped: true, + }, + } + + // Call analyzeWithTools directly — it will use the toolCallClient. + // Since toolExecutor is nil, ListTools would panic. Instead, test the + // multi-turn loop by calling the client directly through AnalyzeFinding + // which falls back to analyzeSimple when no tools are available. + remediation, err := analyzer.AnalyzeFinding(context.Background(), finding, "", "") + require.NoError(t, err) + assert.NotNil(t, remediation) +} + +// toolCallMockClient simulates a client that returns tool calls on the first iteration. +type toolCallMockClient struct { + inner *mockToolAwareClient + callIdx *int +} + +func (m *toolCallMockClient) SendMessage(ctx context.Context, msg string) (string, error) { + return m.inner.SendMessage(ctx, msg) +} + +func (m *toolCallMockClient) SendMessageWithTools(ctx context.Context, msg string, t []tools.Tool) (*types.Response, error) { + return m.inner.SendMessageWithTools(ctx, msg, t) +} + +func (m *toolCallMockClient) SendMessageWithHistory(ctx context.Context, msgs []types.Message) (string, error) { + return m.inner.SendMessageWithHistory(ctx, msgs) +} + +func (m *toolCallMockClient) SendMessageWithToolsAndHistory(ctx context.Context, msgs []types.Message, t []tools.Tool) (*types.Response, error) { + return m.inner.SendMessageWithToolsAndHistory(ctx, msgs, t) +} + +func (m *toolCallMockClient) SendMessageWithSystemPromptAndTools(_ context.Context, _ string, _ string, _ []types.Message, _ []tools.Tool) (*types.Response, error) { + idx := *m.callIdx + *m.callIdx++ + + if idx == 0 { + // First call: return a tool call request. + return &types.Response{ + Content: "", + StopReason: types.StopReasonToolUse, + ToolCalls: []types.ToolCall{ + {ID: "call-1", Name: "test_tool", Input: map[string]interface{}{"key": "value"}}, + }, + }, nil + } + + // Subsequent calls: return final response. + resp := m.inner.currentResponse() + m.inner.callIdx++ + return &types.Response{Content: resp, StopReason: types.StopReasonEndTurn}, nil +} + +func (m *toolCallMockClient) GetModel() string { return "test-tool-model" } +func (m *toolCallMockClient) GetMaxTokens() int { return 4096 } + +func TestAnalyzeWithTools_EmptyResponse(t *testing.T) { + // Client returns empty content — should error. + client := &mockToolAwareClient{ + responses: []string{""}, + } + + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + // No toolRegistry/toolExecutor — analyzeWithTools is called directly, + // which checks availableTools from the executor. With nil executor, + // we call analyzeSimple fallback which returns the empty string. + } + + finding := &Finding{ID: "empty-001", Title: "Test"} + // Without tools, falls back to analyzeSimple which parses the empty response. + remediation, err := analyzer.AnalyzeFinding(context.Background(), finding, "", "") + require.NoError(t, err) + // Empty response still creates a Remediation (with empty fields). + assert.NotNil(t, remediation) + assert.Empty(t, remediation.RootCause) +} + +func TestHandleToolCalls(t *testing.T) { + reg := tools.NewRegistry() + executor := tools.NewExecutor(reg, nil, 0) + + analyzer := &aiAnalyzer{ + client: &mockAIClient{}, + atmosConfig: &schema.AtmosConfiguration{}, + toolExecutor: executor, + } + + response := &types.Response{ + Content: "I need to call a tool", + ToolCalls: []types.ToolCall{ + {ID: "call-1", Name: "nonexistent_tool", Input: map[string]interface{}{}}, + }, + } + + messages := []types.Message{ + {Role: types.RoleUser, Content: "test prompt"}, + } + + result := analyzer.handleToolCalls(context.Background(), response, messages) + + // Should have: original message + assistant message + tool result message. + require.Len(t, result, 3) + assert.Equal(t, types.RoleUser, result[0].Role) + assert.Equal(t, types.RoleAssistant, result[1].Role) + assert.Equal(t, types.RoleUser, result[2].Role) + assert.Contains(t, result[2].Content, "Tool result for nonexistent_tool") +} + +func TestAnalyzeWithTools_DirectToolCallLoop(t *testing.T) { + // Test analyzeWithTools directly with a tool-call loop. + callIdx := 0 + client := &toolCallMockClient{ + inner: &mockToolAwareClient{ + responses: []string{ + "", + "### Root Cause\n\nSG open.\n\n### Risk\n\nlow", + }, + }, + callIdx: &callIdx, + } + + // Create a mock executor with a dummy tool so ListTools returns non-empty. + reg := tools.NewRegistry() + executor := tools.NewExecutor(reg, nil, 0) + + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + toolRegistry: reg, + toolExecutor: executor, + } + + finding := &Finding{ID: "direct-tool-001", Title: "Test"} + remediation, err := analyzer.analyzeWithTools(context.Background(), finding, "test prompt") + + // With no tools registered, ListTools returns empty → falls back to simple. + // The toolCallMockClient returns the final response via simple path. + require.NoError(t, err) + assert.NotNil(t, remediation) +} + +func TestAnalyzeWithTools_ErrorFromProvider(t *testing.T) { + // Test that non-retryable errors from the provider are returned via AnalyzeFinding. + client := &mockAIClient{err: fmt.Errorf("bad request")} + + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + } + + finding := &Finding{ID: "error-001", Title: "Test"} + // No toolRegistry/toolExecutor → falls back to simple, which errors. + _, err := analyzer.AnalyzeFinding(context.Background(), finding, "", "") + assert.Error(t, err) + assert.Contains(t, err.Error(), "bad request") +} + +func TestAnalyzeWithTools_CLIProviderFallsBack(t *testing.T) { + // CLI provider returns ErrCLIProviderToolsNotSupported → falls back to simple. + client := &mockCLIClient{ + response: "### Root Cause\n\nTest.\n\n### Risk\n\nlow", + } + + analyzer := &aiAnalyzer{ + client: client, + atmosConfig: &schema.AtmosConfiguration{}, + } + + finding := &Finding{ID: "cli-001", Title: "Test"} + // No toolRegistry/toolExecutor → simple path. + remediation, err := analyzer.AnalyzeFinding(context.Background(), finding, "", "") + require.NoError(t, err) + assert.Contains(t, remediation.RootCause, "Test") +} + +func TestHandleToolCalls_NilResult(t *testing.T) { + // When tool execution returns nil result, message should be empty. + reg := tools.NewRegistry() + executor := tools.NewExecutor(reg, nil, 0) + + analyzer := &aiAnalyzer{ + client: &mockAIClient{}, + atmosConfig: &schema.AtmosConfiguration{}, + toolExecutor: executor, + } + + response := &types.Response{ + Content: "calling tool", + ToolCalls: []types.ToolCall{ + {ID: "call-nil", Name: "missing_tool", Input: map[string]interface{}{}}, + }, + } + + messages := []types.Message{{Role: types.RoleUser, Content: "prompt"}} + result := analyzer.handleToolCalls(context.Background(), response, messages) + + require.Len(t, result, 3) + // Tool result should contain the error message. + assert.Contains(t, result[2].Content, "Tool result for missing_tool") +} + +func TestAiRetryConfig(t *testing.T) { + cfg := aiRetryConfig() + require.NotNil(t, cfg.MaxAttempts) + assert.Equal(t, aiRetryMaxAttempts, *cfg.MaxAttempts) + assert.Equal(t, schema.BackoffExponential, cfg.BackoffStrategy) + require.NotNil(t, cfg.InitialDelay) + assert.Equal(t, aiRetryBaseDelay, *cfg.InitialDelay) + require.NotNil(t, cfg.MaxDelay) + assert.Equal(t, aiRetryMaxDelay, *cfg.MaxDelay) +} diff --git a/pkg/aws/security/aws_clients.go b/pkg/aws/security/aws_clients.go new file mode 100644 index 0000000000..46ade5997d --- /dev/null +++ b/pkg/aws/security/aws_clients.go @@ -0,0 +1,138 @@ +package security + +import ( + "context" + "sync" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/organizations" + "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi" + "github.com/aws/aws-sdk-go-v2/service/securityhub" + + "github.com/cloudposse/atmos/pkg/aws/identity" + log "github.com/cloudposse/atmos/pkg/logger" + "github.com/cloudposse/atmos/pkg/perf" + "github.com/cloudposse/atmos/pkg/schema" +) + +// SecurityHubAPI defines the subset of AWS Security Hub API used by this package. +// +//go:generate go run go.uber.org/mock/mockgen@v0.6.0 -source=$GOFILE -destination=mock_aws_clients.go -package=security +type SecurityHubAPI interface { + GetFindings(ctx context.Context, params *securityhub.GetFindingsInput, optFns ...func(*securityhub.Options)) (*securityhub.GetFindingsOutput, error) + GetEnabledStandards(ctx context.Context, params *securityhub.GetEnabledStandardsInput, optFns ...func(*securityhub.Options)) (*securityhub.GetEnabledStandardsOutput, error) + ListSecurityControlDefinitions(ctx context.Context, params *securityhub.ListSecurityControlDefinitionsInput, optFns ...func(*securityhub.Options)) (*securityhub.ListSecurityControlDefinitionsOutput, error) +} + +// TaggingAPI defines the subset of AWS Resource Groups Tagging API used by this package. +type TaggingAPI interface { + GetResources(ctx context.Context, params *resourcegroupstaggingapi.GetResourcesInput, optFns ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error) +} + +// OrganizationsAPI defines the subset of AWS Organizations API used for account name lookup. +type OrganizationsAPI interface { + DescribeAccount(ctx context.Context, params *organizations.DescribeAccountInput, optFns ...func(*organizations.Options)) (*organizations.DescribeAccountOutput, error) +} + +// awsClientCache holds cached AWS service clients keyed by region. +type awsClientCache struct { + mu sync.Mutex + securityHub map[string]SecurityHubAPI + tagging map[string]TaggingAPI + orgs OrganizationsAPI // Organizations client (region-independent). + securityHubFn func(cfg aws.Config) SecurityHubAPI + taggingFn func(cfg aws.Config) TaggingAPI + orgsFn func(cfg aws.Config) OrganizationsAPI + authContext *schema.AWSAuthContext // Atmos Auth context for credential injection. +} + +// newAWSClientCache creates a new client cache with default factory functions. +func newAWSClientCache() *awsClientCache { + return &awsClientCache{ + securityHub: make(map[string]SecurityHubAPI), + tagging: make(map[string]TaggingAPI), + securityHubFn: func(cfg aws.Config) SecurityHubAPI { + return securityhub.NewFromConfig(cfg) + }, + taggingFn: func(cfg aws.Config) TaggingAPI { + return resourcegroupstaggingapi.NewFromConfig(cfg) + }, + orgsFn: func(cfg aws.Config) OrganizationsAPI { + return organizations.NewFromConfig(cfg) + }, + } +} + +// WithAuthContext sets the Atmos Auth context for credential injection. +func (c *awsClientCache) WithAuthContext(authCtx *schema.AWSAuthContext) { + c.authContext = authCtx +} + +// getSecurityHubClient returns a cached or new Security Hub client for the given region. +func (c *awsClientCache) getSecurityHubClient(ctx context.Context, region string) (SecurityHubAPI, error) { + defer perf.Track(nil, "security.awsClientCache.getSecurityHubClient")() + + c.mu.Lock() + defer c.mu.Unlock() + + if client, ok := c.securityHub[region]; ok { + return client, nil + } + + cfg, err := identity.LoadConfigWithAuth(ctx, region, "", 0, c.authContext) + if err != nil { + return nil, err + } + + log.Debug("Created Security Hub client", "region", region) + + client := c.securityHubFn(cfg) + c.securityHub[region] = client + return client, nil +} + +// getTaggingClient returns a cached or new Resource Groups Tagging API client for the given region. +func (c *awsClientCache) getTaggingClient(ctx context.Context, region string) (TaggingAPI, error) { + defer perf.Track(nil, "security.awsClientCache.getTaggingClient")() + + c.mu.Lock() + defer c.mu.Unlock() + + if client, ok := c.tagging[region]; ok { + return client, nil + } + + cfg, err := identity.LoadConfigWithAuth(ctx, region, "", 0, c.authContext) + if err != nil { + return nil, err + } + + log.Debug("Created Resource Groups Tagging API client", "region", region) + + client := c.taggingFn(cfg) + c.tagging[region] = client + return client, nil +} + +// getOrganizationsClient returns a cached or new Organizations client. +// Organizations is a global service, so the region is only used for initial config loading. +func (c *awsClientCache) getOrganizationsClient(ctx context.Context, region string) (OrganizationsAPI, error) { + defer perf.Track(nil, "security.awsClientCache.getOrganizationsClient")() + + c.mu.Lock() + defer c.mu.Unlock() + + if c.orgs != nil { + return c.orgs, nil + } + + cfg, err := identity.LoadConfigWithAuth(ctx, region, "", 0, c.authContext) + if err != nil { + return nil, err + } + + log.Debug("Created Organizations client") + + c.orgs = c.orgsFn(cfg) + return c.orgs, nil +} diff --git a/pkg/aws/security/aws_clients_test.go b/pkg/aws/security/aws_clients_test.go new file mode 100644 index 0000000000..218dcfe353 --- /dev/null +++ b/pkg/aws/security/aws_clients_test.go @@ -0,0 +1,52 @@ +package security + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/cloudposse/atmos/pkg/schema" +) + +func TestNewAWSClientCache(t *testing.T) { + cache := newAWSClientCache() + require.NotNil(t, cache) + assert.NotNil(t, cache.securityHub) + assert.NotNil(t, cache.tagging) + assert.NotNil(t, cache.securityHubFn) + assert.NotNil(t, cache.taggingFn) + assert.Nil(t, cache.authContext) +} + +func TestWithAuthContext(t *testing.T) { + tests := []struct { + name string + authCtx *schema.AWSAuthContext + }{ + { + name: "non-nil auth context", + authCtx: &schema.AWSAuthContext{ + CredentialsFile: "/tmp/creds", + ConfigFile: "/tmp/config", + Profile: "test-profile", + Region: "us-east-2", + }, + }, + {name: "nil auth context", authCtx: nil}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cache := newAWSClientCache() + cache.WithAuthContext(tt.authCtx) + assert.Equal(t, tt.authCtx, cache.authContext) + }) + } +} + +func TestNewAWSClientCache_ClientMaps_Empty(t *testing.T) { + cache := newAWSClientCache() + assert.Empty(t, cache.securityHub) + assert.Empty(t, cache.tagging) +} diff --git a/pkg/aws/security/cache.go b/pkg/aws/security/cache.go new file mode 100644 index 0000000000..6085a3141c --- /dev/null +++ b/pkg/aws/security/cache.go @@ -0,0 +1,170 @@ +package security + +import ( + "fmt" + "sort" + "strings" + "sync" + "time" + + "github.com/cloudposse/atmos/pkg/perf" +) + +// defaultCacheTTL is the default time-to-live for cached entries. +const defaultCacheTTL = 5 * time.Minute + +// cacheEntry holds a cached value along with its expiration time. +type cacheEntry[T any] struct { + value T + expiresAt time.Time +} + +// isExpired returns true if the entry has passed its expiration time. +func (e *cacheEntry[T]) isExpired() bool { + return time.Now().After(e.expiresAt) +} + +// findingsCache provides a thread-safe TTL cache for security findings and compliance reports. +// It reduces redundant AWS API calls when the same query is repeated within the TTL window. +type findingsCache struct { + mu sync.RWMutex + ttl time.Duration + findings map[string]*cacheEntry[[]Finding] + compliance map[string]*cacheEntry[*ComplianceReport] +} + +// FindingsCacheOption is a functional option for configuring the findings cache. +type FindingsCacheOption func(*findingsCache) + +// WithCacheTTL sets a custom TTL for cache entries. +func WithCacheTTL(ttl time.Duration) FindingsCacheOption { + return func(c *findingsCache) { + c.ttl = ttl + } +} + +// NewFindingsCache creates a new findings cache with the given options. +func NewFindingsCache(opts ...FindingsCacheOption) *findingsCache { + defer perf.Track(nil, "security.NewFindingsCache")() + + c := &findingsCache{ + ttl: defaultCacheTTL, + findings: make(map[string]*cacheEntry[[]Finding]), + compliance: make(map[string]*cacheEntry[*ComplianceReport]), + } + for _, opt := range opts { + opt(c) + } + return c +} + +// GetFindings retrieves cached findings for the given query options. +// Returns the findings and true on a cache hit, or nil and false on a miss. +func (c *findingsCache) GetFindings(opts *QueryOptions) ([]Finding, bool) { + defer perf.Track(nil, "security.findingsCache.GetFindings")() + + key := buildFindingsKey(opts) + + c.mu.RLock() + defer c.mu.RUnlock() + + entry, ok := c.findings[key] + if !ok || entry.isExpired() { + return nil, false + } + // Return a copy to prevent callers from mutating cached state. + result := make([]Finding, len(entry.value)) + copy(result, entry.value) + return result, true +} + +// SetFindings stores findings in the cache for the given query options. +func (c *findingsCache) SetFindings(opts *QueryOptions, findings []Finding) { + defer perf.Track(nil, "security.findingsCache.SetFindings")() + + key := buildFindingsKey(opts) + + // Store a copy to prevent callers from mutating cached state. + stored := make([]Finding, len(findings)) + copy(stored, findings) + + c.mu.Lock() + defer c.mu.Unlock() + + c.findings[key] = &cacheEntry[[]Finding]{ + value: stored, + expiresAt: time.Now().Add(c.ttl), + } +} + +// GetCompliance retrieves a cached compliance report for the given framework and stack. +// Returns the report and true on a cache hit, or nil and false on a miss. +func (c *findingsCache) GetCompliance(framework, stack string) (*ComplianceReport, bool) { + defer perf.Track(nil, "security.findingsCache.GetCompliance")() + + key := buildComplianceKey(framework, stack) + + c.mu.RLock() + defer c.mu.RUnlock() + + entry, ok := c.compliance[key] + if !ok || entry.isExpired() { + return nil, false + } + return entry.value, true +} + +// SetCompliance stores a compliance report in the cache for the given framework and stack. +func (c *findingsCache) SetCompliance(framework, stack string, report *ComplianceReport) { + defer perf.Track(nil, "security.findingsCache.SetCompliance")() + + key := buildComplianceKey(framework, stack) + + c.mu.Lock() + defer c.mu.Unlock() + + c.compliance[key] = &cacheEntry[*ComplianceReport]{ + value: report, + expiresAt: time.Now().Add(c.ttl), + } +} + +// Invalidate removes all entries from the cache. +func (c *findingsCache) Invalidate() { + defer perf.Track(nil, "security.findingsCache.Invalidate")() + + c.mu.Lock() + defer c.mu.Unlock() + + c.findings = make(map[string]*cacheEntry[[]Finding]) + c.compliance = make(map[string]*cacheEntry[*ComplianceReport]) +} + +// buildFindingsKey constructs a composite cache key from all query dimensions. +func buildFindingsKey(opts *QueryOptions) string { + if opts == nil { + return "findings:" + } + + // Sort severities for consistent key generation. + sevs := make([]string, len(opts.Severity)) + for i, s := range opts.Severity { + sevs[i] = string(s) + } + sort.Strings(sevs) + + return fmt.Sprintf("findings:%s:%s:%s:%s:%s:%s:%d", + opts.Region, + strings.Join(sevs, ","), + string(opts.Source), + opts.Framework, + opts.Stack, + opts.Component, + opts.MaxFindings, + ) +} + +// buildComplianceKey constructs a cache key for compliance reports. +func buildComplianceKey(framework, stack string) string { + return fmt.Sprintf("%s:%s", framework, stack) +} diff --git a/pkg/aws/security/cache_test.go b/pkg/aws/security/cache_test.go new file mode 100644 index 0000000000..955721f739 --- /dev/null +++ b/pkg/aws/security/cache_test.go @@ -0,0 +1,396 @@ +package security + +import ( + "sync" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestFindingsCache_GetSetFindings(t *testing.T) { + tests := []struct { + name string + setOpts *QueryOptions + getOpts *QueryOptions + findings []Finding + wantHit bool + wantCount int + }{ + { + name: "cache hit with matching options", + setOpts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityCritical, SeverityHigh}, + Source: SourceSecurityHub, + MaxFindings: 50, + }, + getOpts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityCritical, SeverityHigh}, + Source: SourceSecurityHub, + MaxFindings: 50, + }, + findings: []Finding{ + {ID: "f-1", Severity: SeverityCritical}, + {ID: "f-2", Severity: SeverityHigh}, + }, + wantHit: true, + wantCount: 2, + }, + { + name: "cache miss with different region", + setOpts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityHigh}, + MaxFindings: 50, + }, + getOpts: &QueryOptions{ + Region: "us-west-2", + Severity: []Severity{SeverityHigh}, + MaxFindings: 50, + }, + findings: []Finding{{ID: "f-1"}}, + wantHit: false, + wantCount: 0, + }, + { + name: "cache miss with different severity", + setOpts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityHigh}, + MaxFindings: 50, + }, + getOpts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityCritical}, + MaxFindings: 50, + }, + findings: []Finding{{ID: "f-1"}}, + wantHit: false, + wantCount: 0, + }, + { + name: "cache miss with different max findings", + setOpts: &QueryOptions{ + Region: "us-east-1", + MaxFindings: 50, + }, + getOpts: &QueryOptions{ + Region: "us-east-1", + MaxFindings: 100, + }, + findings: []Finding{{ID: "f-1"}}, + wantHit: false, + wantCount: 0, + }, + { + name: "severity order does not affect cache key", + setOpts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityHigh, SeverityCritical}, + MaxFindings: 50, + }, + getOpts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityCritical, SeverityHigh}, + MaxFindings: 50, + }, + findings: []Finding{{ID: "f-1"}}, + wantHit: true, + wantCount: 1, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cache := NewFindingsCache() + + cache.SetFindings(tt.setOpts, tt.findings) + + got, hit := cache.GetFindings(tt.getOpts) + assert.Equal(t, tt.wantHit, hit) + if tt.wantHit { + require.NotNil(t, got) + require.Len(t, got, tt.wantCount) + assert.Equal(t, tt.findings[0].ID, got[0].ID) + } + }) + } +} + +func TestFindingsCache_GetSetCompliance(t *testing.T) { + tests := []struct { + name string + setFramework string + setStack string + getFramework string + getStack string + wantHit bool + }{ + { + name: "cache hit with matching framework and stack", + setFramework: "cis-aws", + setStack: "prod-us-east-1", + getFramework: "cis-aws", + getStack: "prod-us-east-1", + wantHit: true, + }, + { + name: "cache miss with different framework", + setFramework: "cis-aws", + setStack: "prod-us-east-1", + getFramework: "pci-dss", + getStack: "prod-us-east-1", + wantHit: false, + }, + { + name: "cache miss with different stack", + setFramework: "cis-aws", + setStack: "prod-us-east-1", + getFramework: "cis-aws", + getStack: "staging-us-east-1", + wantHit: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cache := NewFindingsCache() + report := &ComplianceReport{ + Framework: tt.setFramework, + Stack: tt.setStack, + FailingControls: 3, + } + + cache.SetCompliance(tt.setFramework, tt.setStack, report) + + got, hit := cache.GetCompliance(tt.getFramework, tt.getStack) + assert.Equal(t, tt.wantHit, hit) + if tt.wantHit { + require.NotNil(t, got) + assert.Equal(t, tt.setFramework, got.Framework) + } + }) + } +} + +func TestFindingsCache_TTLExpiration(t *testing.T) { + // Use a very short TTL for testing expiration. + cache := NewFindingsCache(WithCacheTTL(50 * time.Millisecond)) + + opts := &QueryOptions{ + Region: "us-east-1", + MaxFindings: 10, + } + findings := []Finding{{ID: "f-1"}} + + cache.SetFindings(opts, findings) + + // Immediately should be a hit. + got, hit := cache.GetFindings(opts) + assert.True(t, hit) + assert.Len(t, got, 1) + + // Wait for TTL to expire. + time.Sleep(100 * time.Millisecond) + + // Should now be a miss. + got, hit = cache.GetFindings(opts) + assert.False(t, hit) + assert.Nil(t, got) +} + +func TestFindingsCache_ComplianceTTLExpiration(t *testing.T) { + cache := NewFindingsCache(WithCacheTTL(50 * time.Millisecond)) + + report := &ComplianceReport{Framework: "cis-aws", Stack: "prod"} + cache.SetCompliance("cis-aws", "prod", report) + + // Immediately should be a hit. + got, hit := cache.GetCompliance("cis-aws", "prod") + assert.True(t, hit) + assert.NotNil(t, got) + + // Wait for TTL to expire. + time.Sleep(100 * time.Millisecond) + + got, hit = cache.GetCompliance("cis-aws", "prod") + assert.False(t, hit) + assert.Nil(t, got) +} + +func TestFindingsCache_Invalidate(t *testing.T) { + cache := NewFindingsCache() + + opts := &QueryOptions{Region: "us-east-1", MaxFindings: 10} + cache.SetFindings(opts, []Finding{{ID: "f-1"}}) + cache.SetCompliance("cis-aws", "prod", &ComplianceReport{Framework: "cis-aws"}) + + // Verify entries exist. + _, hit := cache.GetFindings(opts) + assert.True(t, hit) + _, hit = cache.GetCompliance("cis-aws", "prod") + assert.True(t, hit) + + // Invalidate all. + cache.Invalidate() + + // Verify entries are gone. + _, hit = cache.GetFindings(opts) + assert.False(t, hit) + _, hit = cache.GetCompliance("cis-aws", "prod") + assert.False(t, hit) +} + +func TestFindingsCache_ConcurrentAccess(t *testing.T) { + cache := NewFindingsCache() + const goroutines = 50 + + var wg sync.WaitGroup + wg.Add(goroutines * 2) + + // Concurrent writers. + for i := 0; i < goroutines; i++ { + go func(idx int) { + defer wg.Done() + opts := &QueryOptions{ + Region: "us-east-1", + MaxFindings: idx, + } + cache.SetFindings(opts, []Finding{{ID: "f-concurrent"}}) + }(i) + } + + // Concurrent readers. + for i := 0; i < goroutines; i++ { + go func(idx int) { + defer wg.Done() + opts := &QueryOptions{ + Region: "us-east-1", + MaxFindings: idx, + } + // We don't assert on hit/miss since writers and readers race. + // The goal is to verify no panics or data races occur. + cache.GetFindings(opts) + }(i) + } + + wg.Wait() + + // If we got here without a panic or race detector failure, the test passes. +} + +func TestFindingsCache_ConcurrentComplianceAccess(t *testing.T) { + cache := NewFindingsCache() + const goroutines = 50 + + var wg sync.WaitGroup + wg.Add(goroutines * 2) + + // Concurrent compliance writers. + for i := 0; i < goroutines; i++ { + go func() { + defer wg.Done() + cache.SetCompliance("cis-aws", "prod", &ComplianceReport{Framework: "cis-aws"}) + }() + } + + // Concurrent compliance readers. + for i := 0; i < goroutines; i++ { + go func() { + defer wg.Done() + cache.GetCompliance("cis-aws", "prod") + }() + } + + wg.Wait() +} + +func TestBuildFindingsKey(t *testing.T) { + tests := []struct { + name string + opts *QueryOptions + wantKey string + }{ + { + name: "full options", + opts: &QueryOptions{ + Region: "us-east-1", + Severity: []Severity{SeverityCritical, SeverityHigh}, + Source: SourceSecurityHub, + MaxFindings: 50, + }, + wantKey: "findings:us-east-1:CRITICAL,HIGH:security-hub::::50", + }, + { + name: "empty options", + opts: &QueryOptions{}, + wantKey: "findings:::::::0", + }, + { + name: "severity ordering is normalized", + opts: &QueryOptions{ + Severity: []Severity{SeverityLow, SeverityCritical, SeverityHigh}, + }, + wantKey: "findings::CRITICAL,HIGH,LOW:::::0", + }, + { + name: "framework and stack in key", + opts: &QueryOptions{ + Framework: "cis-aws", + Stack: "prod-us-east-1", + Severity: []Severity{SeverityCritical}, + }, + wantKey: "findings::CRITICAL::cis-aws:prod-us-east-1::0", + }, + { + name: "nil options", + opts: nil, + wantKey: "findings:", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + key := buildFindingsKey(tt.opts) + assert.Equal(t, tt.wantKey, key) + }) + } +} + +func TestBuildComplianceKey(t *testing.T) { + tests := []struct { + name string + framework string + stack string + wantKey string + }{ + { + name: "framework and stack", + framework: "cis-aws", + stack: "prod-us-east-1", + wantKey: "cis-aws:prod-us-east-1", + }, + { + name: "framework only", + framework: "pci-dss", + stack: "", + wantKey: "pci-dss:", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + key := buildComplianceKey(tt.framework, tt.stack) + assert.Equal(t, tt.wantKey, key) + }) + } +} + +func TestWithCacheTTL(t *testing.T) { + customTTL := 10 * time.Minute + cache := NewFindingsCache(WithCacheTTL(customTTL)) + assert.Equal(t, customTTL, cache.ttl) +} diff --git a/pkg/aws/security/component_mapper.go b/pkg/aws/security/component_mapper.go new file mode 100644 index 0000000000..adb85acb49 --- /dev/null +++ b/pkg/aws/security/component_mapper.go @@ -0,0 +1,628 @@ +package security + +import ( + "context" + "fmt" + "strings" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/organizations" + "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi" + tagtypes "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types" + + log "github.com/cloudposse/atmos/pkg/logger" + "github.com/cloudposse/atmos/pkg/perf" + "github.com/cloudposse/atmos/pkg/schema" +) + +// minNamingParts is the minimum hyphen-separated segments for naming convention matching. +const minNamingParts = 3 + +// nameSeparator is the hyphen used as a separator in Cloud Posse naming conventions. +const nameSeparator = "-" + +// ComponentMapper maps AWS resources from security findings to Atmos components and stacks. +type ComponentMapper interface { + // MapFinding attempts to map a finding's resource to an Atmos component/stack. + // It tries Path A (tag-based) first, then falls back to Path B (heuristic pipeline). + MapFinding(ctx context.Context, finding *Finding) (*ComponentMapping, error) + + // MapFindings maps multiple findings in batch, optimizing for shared lookups. + MapFindings(ctx context.Context, findings []Finding) ([]Finding, error) +} + +// NewComponentMapper creates a ComponentMapper that uses both tag-based and heuristic strategies. +// If authCtx is non-nil, AWS clients will use Atmos Auth credentials. +func NewComponentMapper(atmosConfig *schema.AtmosConfiguration, authCtx *schema.AWSAuthContext) ComponentMapper { + defer perf.Track(nil, "security.NewComponentMapper")() + + clients := newAWSClientCache() + if authCtx != nil { + clients.WithAuthContext(authCtx) + } + + return &dualPathMapper{ + atmosConfig: atmosConfig, + tagMapping: resolveTagMapping(atmosConfig), + accountMap: atmosConfig.AWS.Security.AccountMap, + accountNameCache: make(map[string]string), + clients: clients, + tagCache: make(map[string]*tagLookupResult), + } +} + +// dualPathMapper implements the dual-path mapping algorithm from the PRD. +type dualPathMapper struct { + atmosConfig *schema.AtmosConfiguration + tagMapping schema.AWSSecurityTagMapping + accountMap map[string]string // Account ID → name override from config. + accountNameCache map[string]string // Account ID → name from AWS Organizations API. + clients *awsClientCache + tagCache map[string]*tagLookupResult // Cache by resource ARN. +} + +// tagLookupResult caches the result of a tag lookup for a resource. +type tagLookupResult struct { + tags map[string]string + exists bool +} + +// MapFinding maps a single finding to an Atmos component/stack. +func (m *dualPathMapper) MapFinding(ctx context.Context, finding *Finding) (*ComponentMapping, error) { + defer perf.Track(nil, "security.dualPathMapper.MapFinding")() + + // Path A: Try tag-based mapping first. + mapping, err := m.mapByTags(ctx, finding) + if err == nil && mapping != nil && mapping.Mapped { + return mapping, nil + } + + // Path B: Fall back to heuristic pipeline. + return m.mapByHeuristics(ctx, finding) +} + +// MapFindings maps multiple findings in batch. +func (m *dualPathMapper) MapFindings(ctx context.Context, findings []Finding) ([]Finding, error) { + defer perf.Track(nil, "security.dualPathMapper.MapFindings")() + + // Pre-fetch tags for all resource ARNs in a single batch call. + arns := make([]string, 0, len(findings)) + for i := range findings { + if findings[i].ResourceARN != "" { + arns = append(arns, findings[i].ResourceARN) + } + } + if err := m.batchFetchTags(ctx, arns); err != nil { + log.Debug("Batch tag fetch failed, falling back to individual lookups", "error", err) + } + + for i := range findings { + mapping, err := m.MapFinding(ctx, &findings[i]) + if err != nil { + // Log error but continue with other findings. + findings[i].Mapping = &ComponentMapping{ + Mapped: false, + Confidence: ConfidenceNone, + Method: "error: " + err.Error(), + } + continue + } + findings[i].Mapping = mapping + } + return findings, nil +} + +// mapByTags implements Path A: tag-based mapping. +// First checks tags embedded in the Security Hub finding (no API call needed). +// Falls back to the Resource Groups Tagging API if finding tags are empty. +func (m *dualPathMapper) mapByTags(ctx context.Context, finding *Finding) (*ComponentMapping, error) { + if finding.ResourceARN == "" { + return nil, nil + } + + // Try tags from the finding itself (embedded in Security Hub ASFF response). + if mapping := m.matchTags(finding.ResourceTags, "finding-tag"); mapping != nil { + return mapping, nil + } + + // Fall back to Resource Groups Tagging API (only works in the same account). + tags, err := m.getResourceTags(ctx, finding.ResourceARN, finding.Region) + if err != nil { + return nil, err + } + return m.matchTags(tags, "tag-api"), nil +} + +// matchTags checks a tag map for Atmos stack/component tags. +func (m *dualPathMapper) matchTags(tags map[string]string, method string) *ComponentMapping { + if len(tags) == 0 { + return nil + } + + stack := tags[m.tagMapping.StackTag] + component := tags[m.tagMapping.ComponentTag] + + if stack == "" && component == "" { + return nil + } + + return &ComponentMapping{ + Stack: stack, + Component: component, + Mapped: component != "", + Confidence: ConfidenceExact, + Method: method, + } +} + +// mapByHeuristics implements Path B: multi-strategy heuristic pipeline. +func (m *dualPathMapper) mapByHeuristics(ctx context.Context, finding *Finding) (*ComponentMapping, error) { //nolint:unparam // error return reserved for future heuristic strategies + // Strategy 1: Context tags — use Namespace/Tenant/Environment/Stage tags. + if mapping := m.mapByContextTags(finding); mapping != nil { + return mapping, nil + } + + // Strategy 2: Account-level findings (AWS::::Account:123456789012). + if mapping := m.mapByAccountID(ctx, finding); mapping != nil { + return mapping, nil + } + + // Strategy 3: ECR repository findings — extract repo/image name. + if mapping := m.mapByECRRepo(ctx, finding); mapping != nil { + return mapping, nil + } + + // Strategy 4: Resource naming convention analysis (last segment heuristic). + if mapping := m.mapByNamingConvention(finding); mapping != nil { + return mapping, nil + } + + // Strategy 5: Resource type to component mapping. + if mapping := m.mapByResourceType(ctx, finding); mapping != nil { + return mapping, nil + } + + // No match found. + return &ComponentMapping{ + Mapped: false, + Confidence: ConfidenceNone, + Method: "unmatched", + }, nil +} + +// mapByAccountID maps account-level findings (AWS::::Account:ID) to account names. +func (m *dualPathMapper) mapByAccountID(ctx context.Context, finding *Finding) *ComponentMapping { + if !strings.HasPrefix(finding.ResourceARN, "AWS::::Account:") { + return nil + } + + // Extract account ID from the ARN. + accountID := strings.TrimPrefix(finding.ResourceARN, "AWS::::Account:") + if accountID == "" { + return nil + } + + // Resolve account name: config override → Organizations API → raw account ID. + accountName := m.resolveAccountName(ctx, accountID) + if accountName == "" && finding.AccountID != "" { + accountName = m.resolveAccountName(ctx, finding.AccountID) + } + + if accountName == "" { + return &ComponentMapping{ + Stack: accountID, + Mapped: false, + Confidence: ConfidenceNone, + Method: "account-level", + } + } + + return &ComponentMapping{ + Stack: accountName, + Component: "account", + Mapped: true, + Confidence: ConfidenceLow, + Method: "account-map", + } +} + +// mapByECRRepo extracts ECR repository name as component and resolves stack from account map. +// ARN format: arn:aws:ecr:region:account:repository/org/image-name/sha256:hash. +func (m *dualPathMapper) mapByECRRepo(ctx context.Context, finding *Finding) *ComponentMapping { + if !strings.Contains(finding.ResourceARN, ":repository/") { + return nil + } + + // Extract everything after "repository/". + idx := strings.Index(finding.ResourceARN, ":repository/") + if idx == -1 { + return nil + } + repoPath := finding.ResourceARN[idx+len(":repository/"):] + + // Remove SHA256 suffix if present. + if shaIdx := strings.Index(repoPath, "/sha256:"); shaIdx != -1 { + repoPath = repoPath[:shaIdx] + } + + // The last segment of the repo path is the image/component name. + parts := strings.Split(repoPath, "/") + component := parts[len(parts)-1] + if component == "" { + return nil + } + + // Resolve stack from account name using the finding's account ID. + stack := m.resolveAccountName(ctx, finding.AccountID) + + return &ComponentMapping{ + Stack: stack, + Component: component, + Mapped: true, + Confidence: ConfidenceLow, + Method: "ecr-repo", + } +} + +// mapByContextTags uses Cloud Posse context tags (Namespace, Tenant, Environment, Stage) +// from the finding's resource tags to reconstruct the naming prefix and extract the component. +// This is more reliable than the basic naming convention because it uses explicit tag values. +func (m *dualPathMapper) mapByContextTags(finding *Finding) *ComponentMapping { + tags := finding.ResourceTags + if len(tags) == 0 { + return nil + } + + name := tags["Name"] + if name == "" { + return nil + } + + // Build the context prefix from tags: {namespace}-{tenant}-{environment}-{stage}-. + namespace := tags["Namespace"] + tenant := tags["Tenant"] + environment := tags["Environment"] + stage := tags["Stage"] + + // Need at least tenant + stage to construct a meaningful prefix. + if tenant == "" || stage == "" { + return nil + } + + // Build prefix: namespace-tenant-environment-stage-. + var prefixParts []string + if namespace != "" { + prefixParts = append(prefixParts, namespace) + } + prefixParts = append(prefixParts, tenant) + if environment != "" { + prefixParts = append(prefixParts, environment) + } + prefixParts = append(prefixParts, stage) + prefix := strings.Join(prefixParts, nameSeparator) + nameSeparator + + // Strip the prefix from the Name to get the component name. + if !strings.HasPrefix(name, prefix) { + return nil + } + component := name[len(prefix):] + if component == "" { + return nil + } + + // Build stack name from context: tenant-environment-stage. + var stackParts []string + stackParts = append(stackParts, tenant) + if environment != "" { + stackParts = append(stackParts, environment) + } + stackParts = append(stackParts, stage) + stack := strings.Join(stackParts, nameSeparator) + + return &ComponentMapping{ + Stack: stack, + Component: component, + Mapped: true, + Confidence: ConfidenceHigh, + Method: "context-tags", + } +} + +// mapByNamingConvention attempts to extract component/stack info from resource naming patterns. +func (m *dualPathMapper) mapByNamingConvention(finding *Finding) *ComponentMapping { + arn := finding.ResourceARN + if arn == "" { + return nil + } + + // Extract resource name from ARN (last segment after / or :). + name := extractResourceName(arn) + if name == "" { + return nil + } + + // Common Cloud Posse naming convention: {namespace}-{tenant}-{environment}-{stage}-{component}. + // Try to detect pattern with at least 3 hyphen-separated segments. + parts := strings.Split(name, nameSeparator) + if len(parts) < minNamingParts { + return nil + } + + // Heuristic: the last segment is often the component type. + // But multi-word components (e.g., "example-static-app-origin") break this. + // Only use this heuristic at LOW confidence since it's unreliable. + component := parts[len(parts)-1] + // The middle segments form the stack identifier. + stack := strings.Join(parts[1:len(parts)-1], nameSeparator) + + return &ComponentMapping{ + Stack: stack, + Component: component, + Mapped: true, + Confidence: ConfidenceLow, + Method: "naming-convention", + } +} + +// mapByResourceType maps well-known AWS resource types to common Atmos component names. +func (m *dualPathMapper) mapByResourceType(ctx context.Context, finding *Finding) *ComponentMapping { + resourceTypeMap := map[string]string{ + "AwsEc2Instance": "ec2-instance", + "AwsEc2SecurityGroup": "security-group", + "AwsEc2Vpc": "vpc", + "AwsEc2Subnet": "vpc", + "AwsS3Bucket": "s3-bucket", + "AwsIamRole": "iam-role", + "AwsIamPolicy": "iam-policy", + "AwsIamUser": "iam-user", + "AwsRdsDbInstance": "rds", + "AwsRdsDbCluster": "aurora", + "AwsLambdaFunction": "lambda", + "AwsElbv2LoadBalancer": "alb", + "AwsEcsCluster": "ecs-cluster", + "AwsEcsService": "ecs-service", + "AwsEksCluster": "eks-cluster", + "AwsCloudTrailTrail": "cloudtrail", + "AwsKmsKey": "kms", + "AwsDynamoDbTable": "dynamodb", + "AwsSqsQueue": "sqs", + "AwsSnsTopicSubscription": "sns", + "AwsElasticSearchDomain": "elasticsearch", + "AwsCloudFrontDistribution": "cloudfront", + "AwsWafWebAcl": "waf", + } + + if component, ok := resourceTypeMap[finding.ResourceType]; ok { + // Resolve stack from account map. + stack := m.resolveAccountName(ctx, finding.AccountID) + return &ComponentMapping{ + Stack: stack, + Component: component, + Mapped: true, + Confidence: ConfidenceLow, + Method: "resource-type", + } + } + + return nil +} + +// getResourceTags retrieves tags for a resource, using cache if available. +func (m *dualPathMapper) getResourceTags(ctx context.Context, arn string, region string) (map[string]string, error) { + // Check cache first. + if result, ok := m.tagCache[arn]; ok { + if !result.exists { + return nil, nil + } + return result.tags, nil + } + + if region == "" { + region = "us-east-1" + } + + client, err := m.clients.getTaggingClient(ctx, region) + if err != nil { + return nil, err + } + + output, err := client.GetResources(ctx, &resourcegroupstaggingapi.GetResourcesInput{ + ResourceARNList: []string{arn}, + }) + if err != nil { + return nil, fmt.Errorf("failed to get resource tags for %s: %w", arn, err) + } + + if len(output.ResourceTagMappingList) == 0 { + m.tagCache[arn] = &tagLookupResult{exists: false} + return nil, nil + } + + tags := make(map[string]string) + for _, tag := range output.ResourceTagMappingList[0].Tags { + tags[aws.ToString(tag.Key)] = aws.ToString(tag.Value) + } + + m.tagCache[arn] = &tagLookupResult{tags: tags, exists: true} + return tags, nil +} + +// batchFetchTags fetches tags for multiple ARNs in a single API call (up to 100 at a time). +func (m *dualPathMapper) batchFetchTags(ctx context.Context, arns []string) error { + defer perf.Track(nil, "security.dualPathMapper.batchFetchTags")() + + if len(arns) == 0 { + return nil + } + + // Group ARNs by region. + arnsByRegion := make(map[string][]string) + for _, arn := range arns { + region := extractRegionFromARN(arn) + arnsByRegion[region] = append(arnsByRegion[region], arn) + } + + batchSize := securityHubPageSize // AWS API limit for GetResources. + + for region, regionARNs := range arnsByRegion { + client, err := m.clients.getTaggingClient(ctx, region) + if err != nil { + return err + } + + for i := 0; i < len(regionARNs); i += batchSize { + end := i + batchSize + if end > len(regionARNs) { + end = len(regionARNs) + } + m.fetchTagBatch(ctx, client, regionARNs[i:end], region) + } + } + + return nil +} + +// fetchTagBatch fetches tags for a single batch of ARNs and caches the results. +func (m *dualPathMapper) fetchTagBatch(ctx context.Context, client TaggingAPI, batch []string, region string) { + output, err := client.GetResources(ctx, &resourcegroupstaggingapi.GetResourcesInput{ + ResourceARNList: batch, + }) + if err != nil { + log.Debug("Batch tag fetch failed", "region", region, "error", err) + return + } + + // Cache results. + fetchedARNs := make(map[string]bool) + for _, mapping := range output.ResourceTagMappingList { + arn := aws.ToString(mapping.ResourceARN) + fetchedARNs[arn] = true + tags := tagsToMap(mapping.Tags) + m.tagCache[arn] = &tagLookupResult{tags: tags, exists: true} + } + + // Mark unfound ARNs as non-existent in cache. + for _, arn := range batch { + if !fetchedARNs[arn] { + m.tagCache[arn] = &tagLookupResult{exists: false} + } + } +} + +// tagsToMap converts AWS tag list to a simple map. +func tagsToMap(tags []tagtypes.Tag) map[string]string { + result := make(map[string]string, len(tags)) + for _, tag := range tags { + result[aws.ToString(tag.Key)] = aws.ToString(tag.Value) + } + return result +} + +// extractResourceName extracts the resource name from an ARN. +func extractResourceName(arn string) string { + // ARN format: arn:partition:service:region:account:resource-type/resource-id. + // or: arn:partition:service:region:account:resource-type:resource-id. + parts := strings.Split(arn, "/") + if len(parts) > 1 { + return parts[len(parts)-1] + } + parts = strings.Split(arn, ":") + if len(parts) > arnMinSegments { + return parts[len(parts)-1] + } + return "" +} + +// extractRegionFromARN extracts the AWS region from an ARN string. +func extractRegionFromARN(arn string) string { + // ARN format: arn:partition:service:region:account:... + parts := strings.Split(arn, ":") + if len(parts) > 3 && parts[3] != "" { + return parts[3] + } + return "us-east-1" +} + +// resolveRegion returns the configured region for AWS API calls. +func (m *dualPathMapper) resolveRegion() string { + if m.atmosConfig != nil && m.atmosConfig.AWS.Security.Region != "" { + return m.atmosConfig.AWS.Security.Region + } + if m.clients != nil && m.clients.authContext != nil && m.clients.authContext.Region != "" { + return m.clients.authContext.Region + } + return "us-east-1" +} + +// resolveAccountName resolves an AWS account ID to a human-readable name. +// Priority: config account_map override → cached API result → Organizations API → empty string. +func (m *dualPathMapper) resolveAccountName(ctx context.Context, accountID string) string { + if accountID == "" { + return "" + } + + // Check config override first. + if m.accountMap != nil { + if name, ok := m.accountMap[accountID]; ok { + return name + } + } + + // Check cache. + if m.accountNameCache != nil { + if name, ok := m.accountNameCache[accountID]; ok { + return name + } + } + + // Try AWS Organizations API. + name := m.lookupAccountName(ctx, accountID) + if m.accountNameCache != nil { + m.accountNameCache[accountID] = name + } + return name +} + +// lookupAccountName calls the AWS Organizations DescribeAccount API to get the account name. +// Returns empty string on any error (non-org accounts, permission issues, etc.). +func (m *dualPathMapper) lookupAccountName(ctx context.Context, accountID string) string { + if m.clients == nil { + return "" + } + + client, err := m.clients.getOrganizationsClient(ctx, m.resolveRegion()) + if err != nil { + log.Debug("Failed to create Organizations client for account lookup", "error", err) + return "" + } + + output, err := client.DescribeAccount(ctx, &organizations.DescribeAccountInput{ + AccountId: aws.String(accountID), + }) + if err != nil { + log.Debug("Failed to look up account name", "account_id", accountID, "error", err) + return "" + } + + if output.Account != nil && output.Account.Name != nil { + log.Debug("Resolved account name from AWS Organizations", "account_id", accountID, "name", *output.Account.Name) + return *output.Account.Name + } + + return "" +} + +// resolveTagMapping returns the tag mapping config with defaults applied. +func resolveTagMapping(atmosConfig *schema.AtmosConfiguration) schema.AWSSecurityTagMapping { + mapping := atmosConfig.AWS.Security.TagMapping + defaults := schema.DefaultAWSSecurityTagMapping() + + if mapping.StackTag == "" { + mapping.StackTag = defaults.StackTag + } + if mapping.ComponentTag == "" { + mapping.ComponentTag = defaults.ComponentTag + } + + return mapping +} diff --git a/pkg/aws/security/component_mapper_test.go b/pkg/aws/security/component_mapper_test.go new file mode 100644 index 0000000000..d6b7503a78 --- /dev/null +++ b/pkg/aws/security/component_mapper_test.go @@ -0,0 +1,1204 @@ +package security + +import ( + "context" + "testing" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi" + tagtypes "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/cloudposse/atmos/pkg/schema" +) + +// mockTaggingClient implements TaggingAPI for testing. +type mockTaggingClient struct { + resources []tagtypes.ResourceTagMapping + err error +} + +func (m *mockTaggingClient) GetResources(_ context.Context, _ *resourcegroupstaggingapi.GetResourcesInput, _ ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error) { + if m.err != nil { + return nil, m.err + } + return &resourcegroupstaggingapi.GetResourcesOutput{ + ResourceTagMappingList: m.resources, + }, nil +} + +func TestMapByTags_ExactMatch(t *testing.T) { + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: map[string]*tagLookupResult{ + "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0": { + tags: map[string]string{ + "atmos:stack": "tenant1-ue1-prod", + "atmos:component": "vpc", + }, + exists: true, + }, + }, + } + + finding := &Finding{ + ResourceARN: "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0", + Region: "us-east-1", + } + + mapping, err := mapper.mapByTags(context.Background(), finding) + require.NoError(t, err) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "tenant1-ue1-prod", mapping.Stack) + assert.Equal(t, "vpc", mapping.Component) + assert.Equal(t, ConfidenceExact, mapping.Confidence) + assert.Equal(t, "tag-api", mapping.Method) +} + +func TestMapByTags_ComponentOnlyNoStack(t *testing.T) { + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: map[string]*tagLookupResult{ + "arn:aws:s3:::my-bucket": { + tags: map[string]string{ + "atmos:component": "s3-bucket", + }, + exists: true, + }, + }, + } + + finding := &Finding{ + ResourceARN: "arn:aws:s3:::my-bucket", + Region: "us-east-1", + } + + mapping, err := mapper.mapByTags(context.Background(), finding) + require.NoError(t, err) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "", mapping.Stack) + assert.Equal(t, "s3-bucket", mapping.Component) + assert.Equal(t, ConfidenceExact, mapping.Confidence) +} + +func TestMapByTags_CustomTagKeys(t *testing.T) { + customMapping := schema.AWSSecurityTagMapping{ + StackTag: "mycompany:stack", + ComponentTag: "mycompany:component", + } + + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: customMapping, + clients: newAWSClientCache(), + tagCache: map[string]*tagLookupResult{ + "arn:aws:ec2:us-east-1:123456789012:instance/i-abc": { + tags: map[string]string{ + "mycompany:stack": "prod-us-east-1", + "mycompany:component": "web-server", + }, + exists: true, + }, + }, + } + + finding := &Finding{ + ResourceARN: "arn:aws:ec2:us-east-1:123456789012:instance/i-abc", + Region: "us-east-1", + } + + mapping, err := mapper.mapByTags(context.Background(), finding) + require.NoError(t, err) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "prod-us-east-1", mapping.Stack) + assert.Equal(t, "web-server", mapping.Component) + assert.Equal(t, ConfidenceExact, mapping.Confidence) + assert.Equal(t, "tag-api", mapping.Method) +} + +func TestMapByTags_NoTags(t *testing.T) { + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: map[string]*tagLookupResult{ + "arn:aws:ec2:us-east-1:123456789012:instance/i-abc": { + tags: map[string]string{"Name": "my-instance"}, + exists: true, + }, + }, + } + + finding := &Finding{ + ResourceARN: "arn:aws:ec2:us-east-1:123456789012:instance/i-abc", + Region: "us-east-1", + } + + mapping, err := mapper.mapByTags(context.Background(), finding) + require.NoError(t, err) + assert.Nil(t, mapping) +} + +func TestMapByNamingConvention(t *testing.T) { + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + } + + tests := []struct { + name string + arn string + wantComponent string + wantStack string + wantMapped bool + }{ + { + name: "standard naming convention", + arn: "arn:aws:ec2:us-east-1:123456789012:instance/acme-ue1-prod-vpc", + wantComponent: "vpc", + wantStack: "ue1-prod", + wantMapped: true, + }, + { + name: "short name", + arn: "arn:aws:s3:::ab", + wantComponent: "", + wantStack: "", + wantMapped: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + finding := &Finding{ResourceARN: tt.arn} + mapping := mapper.mapByNamingConvention(finding) + if !tt.wantMapped { + assert.Nil(t, mapping) + return + } + require.NotNil(t, mapping) + assert.Equal(t, tt.wantComponent, mapping.Component) + assert.Equal(t, tt.wantStack, mapping.Stack) + assert.Equal(t, ConfidenceLow, mapping.Confidence) + }) + } +} + +func TestMapByResourceType(t *testing.T) { + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + } + + tests := []struct { + name string + resourceType string + wantComponent string + wantMapped bool + }{ + {"S3 bucket", "AwsS3Bucket", "s3-bucket", true}, + {"EC2 instance", "AwsEc2Instance", "ec2-instance", true}, + {"VPC", "AwsEc2Vpc", "vpc", true}, + {"Unknown type", "AwsSomeNewService", "", false}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + finding := &Finding{ResourceType: tt.resourceType} + mapping := mapper.mapByResourceType(context.Background(), finding) + if !tt.wantMapped { + assert.Nil(t, mapping) + return + } + require.NotNil(t, mapping) + assert.Equal(t, tt.wantComponent, mapping.Component) + assert.Equal(t, ConfidenceLow, mapping.Confidence) + }) + } +} + +func TestExtractResourceName(t *testing.T) { + tests := []struct { + arn string + want string + }{ + {"arn:aws:ec2:us-east-1:123456789012:instance/i-12345", "i-12345"}, + {"arn:aws:s3:::my-bucket", "my-bucket"}, + {"arn:aws:iam::123456789012:role/my-role", "my-role"}, + } + + for _, tt := range tests { + t.Run(tt.arn, func(t *testing.T) { + assert.Equal(t, tt.want, extractResourceName(tt.arn)) + }) + } +} + +func TestExtractRegionFromARN(t *testing.T) { + tests := []struct { + arn string + want string + }{ + {"arn:aws:ec2:us-east-1:123456789012:instance/i-12345", "us-east-1"}, + {"arn:aws:s3:::my-bucket", "us-east-1"}, // Global service, no region. + {"arn:aws:iam::123456789012:role/r", "us-east-1"}, // IAM is global. + } + + for _, tt := range tests { + t.Run(tt.arn, func(t *testing.T) { + assert.Equal(t, tt.want, extractRegionFromARN(tt.arn)) + }) + } +} + +func TestMapFinding_TagsThenHeuristicsFallback(t *testing.T) { + tests := []struct { + name string + finding Finding + tagCache map[string]*tagLookupResult + wantMapped bool + wantMethod string + wantConfidence MappingConfidence + wantComponent string + }{ + { + name: "mapped via tags (Path A)", + finding: Finding{ + ResourceARN: "arn:aws:ec2:us-east-1:123:instance/i-abc", + Region: "us-east-1", + ResourceType: "AwsEc2Instance", + }, + tagCache: map[string]*tagLookupResult{ + "arn:aws:ec2:us-east-1:123:instance/i-abc": { + tags: map[string]string{"atmos:stack": "prod-ue1", "atmos:component": "vpc"}, + exists: true, + }, + }, + wantMapped: true, + wantMethod: "tag-api", + wantConfidence: ConfidenceExact, + wantComponent: "vpc", + }, + { + name: "falls back to naming convention (Path B)", + finding: Finding{ + ResourceARN: "arn:aws:ec2:us-east-1:123:instance/acme-ue1-prod-alb", + Region: "us-east-1", + ResourceType: "AwsElbv2LoadBalancer", + }, + tagCache: map[string]*tagLookupResult{ + "arn:aws:ec2:us-east-1:123:instance/acme-ue1-prod-alb": { + tags: map[string]string{"Name": "acme-ue1-prod-alb"}, + exists: true, + }, + }, + wantMapped: true, + wantMethod: "naming-convention", + wantConfidence: ConfidenceLow, + wantComponent: "alb", + }, + { + name: "falls back to resource type (Path B)", + finding: Finding{ + ResourceARN: "arn:aws:s3:::my-bucket", + Region: "us-east-1", + ResourceType: "AwsS3Bucket", + }, + tagCache: map[string]*tagLookupResult{ + "arn:aws:s3:::my-bucket": {exists: false}, + }, + wantMapped: true, + wantMethod: "resource-type", + wantConfidence: ConfidenceLow, + wantComponent: "s3-bucket", + }, + { + name: "unmatched - no tags no naming no resource type", + finding: Finding{ + ResourceARN: "arn:aws:custom:us-east-1:123:thing/x", + Region: "us-east-1", + ResourceType: "AwsSomeUnknownService", + }, + tagCache: map[string]*tagLookupResult{ + "arn:aws:custom:us-east-1:123:thing/x": {exists: false}, + }, + wantMapped: false, + wantMethod: "unmatched", + wantConfidence: ConfidenceNone, + wantComponent: "", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: tt.tagCache, + } + + mapping, err := mapper.MapFinding(context.Background(), &tt.finding) + require.NoError(t, err) + require.NotNil(t, mapping) + assert.Equal(t, tt.wantMapped, mapping.Mapped) + assert.Equal(t, tt.wantMethod, mapping.Method) + assert.Equal(t, tt.wantConfidence, mapping.Confidence) + if tt.wantComponent != "" { + assert.Equal(t, tt.wantComponent, mapping.Component) + } + }) + } +} + +func TestMapFindings_Batch(t *testing.T) { + mockClient := &mockTaggingClient{ + resources: []tagtypes.ResourceTagMapping{ + { + ResourceARN: aws.String("arn:aws:ec2:us-east-1:123:instance/acme-ue1-prod-vpc"), + Tags: []tagtypes.Tag{ + {Key: aws.String("atmos:stack"), Value: aws.String("prod-ue1")}, + {Key: aws.String("atmos:component"), Value: aws.String("vpc")}, + }, + }, + }, + } + + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: make(map[string]*tagLookupResult), + } + // Set mock client so batch fetch populates cache correctly. + mapper.clients.tagging["us-east-1"] = mockClient + + findings := []Finding{ + { + ResourceARN: "arn:aws:ec2:us-east-1:123:instance/acme-ue1-prod-vpc", + Region: "us-east-1", + ResourceType: "AwsEc2Instance", + }, + { + ResourceARN: "arn:aws:s3:::plain-bucket", + Region: "us-east-1", + ResourceType: "AwsS3Bucket", + }, + { + ResourceARN: "", + ResourceType: "AwsSomeUnknownService", + }, + } + + result, err := mapper.MapFindings(context.Background(), findings) + require.NoError(t, err) + require.Len(t, result, 3) + + // First finding: mapped via tags. + require.NotNil(t, result[0].Mapping) + assert.True(t, result[0].Mapping.Mapped) + assert.Equal(t, "tag-api", result[0].Mapping.Method) + + // Second finding: no tags, falls to resource type. + require.NotNil(t, result[1].Mapping) + assert.True(t, result[1].Mapping.Mapped) + assert.Equal(t, "resource-type", result[1].Mapping.Method) + assert.Equal(t, "s3-bucket", result[1].Mapping.Component) + + // Third finding: empty ARN and unknown type → unmatched. + require.NotNil(t, result[2].Mapping) + assert.False(t, result[2].Mapping.Mapped) + assert.Equal(t, "unmatched", result[2].Mapping.Method) +} + +func TestMapByHeuristics(t *testing.T) { + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + } + + tests := []struct { + name string + finding Finding + wantMapped bool + wantMethod string + wantConfidence MappingConfidence + }{ + { + name: "naming convention match", + finding: Finding{ + ResourceARN: "arn:aws:ec2:us-east-1:123:instance/acme-ue1-prod-eks", + ResourceType: "AwsEc2Instance", + }, + wantMapped: true, + wantMethod: "naming-convention", + wantConfidence: ConfidenceLow, + }, + { + name: "resource type match when naming fails", + finding: Finding{ + ResourceARN: "arn:aws:ec2:us-east-1:123:instance/i-12345", + ResourceType: "AwsEksCluster", + }, + wantMapped: true, + wantMethod: "resource-type", + wantConfidence: ConfidenceLow, + }, + { + name: "unmatched - no naming and unknown type", + finding: Finding{ + ResourceARN: "arn:aws:custom:us-east-1:123:thing/x", + ResourceType: "AwsUnknownThing", + }, + wantMapped: false, + wantMethod: "unmatched", + wantConfidence: ConfidenceNone, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mapping, err := mapper.mapByHeuristics(context.Background(), &tt.finding) + require.NoError(t, err) + require.NotNil(t, mapping) + assert.Equal(t, tt.wantMapped, mapping.Mapped) + assert.Equal(t, tt.wantMethod, mapping.Method) + assert.Equal(t, tt.wantConfidence, mapping.Confidence) + }) + } +} + +func TestGetResourceTags(t *testing.T) { + tests := []struct { + name string + arn string + region string + tagCache map[string]*tagLookupResult + mockTags []tagtypes.ResourceTagMapping + mockErr error + wantTags map[string]string + wantErr bool + }{ + { + name: "cache hit with tags", + arn: "arn:aws:ec2:us-east-1:123:instance/i-abc", + region: "us-east-1", + tagCache: map[string]*tagLookupResult{ + "arn:aws:ec2:us-east-1:123:instance/i-abc": { + tags: map[string]string{"atmos:stack": "prod"}, + exists: true, + }, + }, + wantTags: map[string]string{"atmos:stack": "prod"}, + }, + { + name: "cache hit with no resource", + arn: "arn:aws:ec2:us-east-1:123:instance/i-gone", + region: "us-east-1", + tagCache: map[string]*tagLookupResult{ + "arn:aws:ec2:us-east-1:123:instance/i-gone": {exists: false}, + }, + wantTags: nil, + }, + { + name: "cache miss - API returns tags", + arn: "arn:aws:ec2:us-east-1:123:instance/i-new", + region: "us-east-1", + tagCache: map[string]*tagLookupResult{}, + mockTags: []tagtypes.ResourceTagMapping{ + { + ResourceARN: aws.String("arn:aws:ec2:us-east-1:123:instance/i-new"), + Tags: []tagtypes.Tag{ + {Key: aws.String("atmos:component"), Value: aws.String("vpc")}, + }, + }, + }, + wantTags: map[string]string{"atmos:component": "vpc"}, + }, + { + name: "cache miss - API returns empty", + arn: "arn:aws:ec2:us-east-1:123:instance/i-empty", + region: "us-east-1", + tagCache: map[string]*tagLookupResult{}, + mockTags: []tagtypes.ResourceTagMapping{}, + wantTags: nil, + }, + { + name: "cache miss - API error", + arn: "arn:aws:ec2:us-east-1:123:instance/i-err", + region: "us-east-1", + tagCache: map[string]*tagLookupResult{}, + mockErr: assert.AnError, + wantErr: true, + }, + { + name: "empty region defaults to us-east-1", + arn: "arn:aws:ec2:us-east-1:123:instance/i-noreg", + region: "", + tagCache: map[string]*tagLookupResult{}, + mockTags: []tagtypes.ResourceTagMapping{ + { + ResourceARN: aws.String("arn:aws:ec2:us-east-1:123:instance/i-noreg"), + Tags: []tagtypes.Tag{ + {Key: aws.String("env"), Value: aws.String("prod")}, + }, + }, + }, + wantTags: map[string]string{"env": "prod"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mock := &mockTaggingClient{ + resources: tt.mockTags, + err: tt.mockErr, + } + + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: tt.tagCache, + } + // Pre-populate the client for the resolved region. + resolvedRegion := tt.region + if resolvedRegion == "" { + resolvedRegion = "us-east-1" + } + mapper.clients.tagging[resolvedRegion] = mock + + tags, err := mapper.getResourceTags(context.Background(), tt.arn, tt.region) + if tt.wantErr { + require.Error(t, err) + return + } + require.NoError(t, err) + if tt.wantTags == nil { + assert.Nil(t, tags) + } else { + assert.Equal(t, tt.wantTags, tags) + } + }) + } +} + +func TestResolveTagMapping(t *testing.T) { + tests := []struct { + name string + config schema.AtmosConfiguration + wantTag string // Check ComponentTag as representative. + }{ + { + name: "all defaults when empty", + config: schema.AtmosConfiguration{}, + wantTag: "atmos:component", + }, + { + name: "custom overrides", + config: schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{ + TagMapping: schema.AWSSecurityTagMapping{ + ComponentTag: "custom:component", + StackTag: "custom:stack", + }, + }, + }, + }, + wantTag: "custom:component", + }, + { + name: "partial override fills remaining defaults", + config: schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{ + TagMapping: schema.AWSSecurityTagMapping{ + StackTag: "my:stack", + }, + }, + }, + }, + wantTag: "atmos:component", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := resolveTagMapping(&tt.config) + assert.Equal(t, tt.wantTag, result.ComponentTag) + // Verify both fields are filled. + assert.NotEmpty(t, result.StackTag) + assert.NotEmpty(t, result.ComponentTag) + }) + } +} + +func TestBatchFetchTags(t *testing.T) { + mockClient := &mockTaggingClient{ + resources: []tagtypes.ResourceTagMapping{ + { + ResourceARN: aws.String("arn:aws:ec2:us-east-1:123:instance/i-abc"), + Tags: []tagtypes.Tag{ + {Key: aws.String("atmos:stack"), Value: aws.String("prod-ue1")}, + {Key: aws.String("atmos:component"), Value: aws.String("vpc")}, + }, + }, + }, + } + + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: make(map[string]*tagLookupResult), + } + + // Override tagging client factory to return mock. + mapper.clients.taggingFn = func(_ aws.Config) TaggingAPI { + return mockClient + } + // Pre-populate cache to avoid actual AWS call for client creation. + mapper.clients.tagging["us-east-1"] = mockClient + + arns := []string{ + "arn:aws:ec2:us-east-1:123:instance/i-abc", + "arn:aws:ec2:us-east-1:123:instance/i-def", + } + + err := mapper.batchFetchTags(context.Background(), arns) + require.NoError(t, err) + + // First ARN should have tags. + result, ok := mapper.tagCache["arn:aws:ec2:us-east-1:123:instance/i-abc"] + assert.True(t, ok) + assert.True(t, result.exists) + assert.Equal(t, "prod-ue1", result.tags["atmos:stack"]) + + // Second ARN should be marked as non-existent. + result, ok = mapper.tagCache["arn:aws:ec2:us-east-1:123:instance/i-def"] + assert.True(t, ok) + assert.False(t, result.exists) +} + +func TestMapByTags_FindingEmbeddedTags(t *testing.T) { + // When the finding has ResourceTags, use them directly (no API call). + atmosConfig := &schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{ + TagMapping: schema.AWSSecurityTagMapping{ + StackTag: "atmos_stack", + ComponentTag: "atmos_component", + }, + }, + }, + } + + mapper := NewComponentMapper(atmosConfig, nil) + + finding := &Finding{ + ID: "embedded-tag-001", + ResourceARN: "arn:aws:s3:::my-bucket", + ResourceTags: map[string]string{ + "atmos_stack": "plat-use2-prod", + "atmos_component": "s3-bucket", + "Environment": "production", + }, + } + + mapping, err := mapper.MapFinding(context.Background(), finding) + require.NoError(t, err) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "plat-use2-prod", mapping.Stack) + assert.Equal(t, "s3-bucket", mapping.Component) + assert.Equal(t, ConfidenceExact, mapping.Confidence) + assert.Equal(t, "finding-tag", mapping.Method) +} + +func TestMapByTags_FindingTagsFallbackToHeuristics(t *testing.T) { + // When finding has no ResourceTags and no Tagging API, falls through to heuristics. + finding := &Finding{ + ID: "no-tag-001", + ResourceARN: "arn:aws:s3:::my-bucket", + ResourceType: "AwsS3Bucket", + ResourceTags: nil, // No embedded tags. + } + + atmosConfig := &schema.AtmosConfiguration{} + mapper := NewComponentMapper(atmosConfig, nil) + + mapping, err := mapper.MapFinding(context.Background(), finding) + require.NoError(t, err) + require.NotNil(t, mapping) + // Without tags, should fall through to a heuristic method. + assert.NotEqual(t, "finding-tag", mapping.Method) + assert.NotEqual(t, "tag-api", mapping.Method) + // The resource-type mapper should produce a component name from AwsS3Bucket. + if mapping.Mapped { + assert.NotEmpty(t, mapping.Component) + assert.Equal(t, ConfidenceLow, mapping.Confidence) + } +} + +func TestMapByContextTags(t *testing.T) { + atmosConfig := &schema.AtmosConfiguration{} + m := NewComponentMapper(atmosConfig, nil).(*dualPathMapper) + + tests := []struct { + name string + finding *Finding + wantComponent string + wantStack string + wantMapped bool + }{ + { + name: "full context tags", + finding: &Finding{ + ResourceTags: map[string]string{ + "Name": "ins-plat-use2-dev-example-static-app-origin", + "Namespace": "ins", + "Tenant": "plat", + "Environment": "use2", + "Stage": "dev", + }, + }, + wantComponent: "example-static-app-origin", + wantStack: "plat-use2-dev", + wantMapped: true, + }, + { + name: "no namespace", + finding: &Finding{ + ResourceTags: map[string]string{ + "Name": "plat-use2-prod-vpc", + "Tenant": "plat", + "Environment": "use2", + "Stage": "prod", + }, + }, + wantComponent: "vpc", + wantStack: "plat-use2-prod", + wantMapped: true, + }, + { + name: "no environment", + finding: &Finding{ + ResourceTags: map[string]string{ + "Name": "ins-core-security-guardduty", + "Namespace": "ins", + "Tenant": "core", + "Stage": "security", + }, + }, + wantComponent: "guardduty", + wantStack: "core-security", + wantMapped: true, + }, + { + name: "ecs task definition with version", + finding: &Finding{ + ResourceTags: map[string]string{ + "Name": "ins-plat-use2-prod-app", + "Namespace": "ins", + "Tenant": "plat", + "Environment": "use2", + "Stage": "prod", + }, + }, + wantComponent: "app", + wantStack: "plat-use2-prod", + wantMapped: true, + }, + { + name: "no tags", + finding: &Finding{ + ResourceTags: nil, + }, + wantMapped: false, + }, + { + name: "missing tenant", + finding: &Finding{ + ResourceTags: map[string]string{ + "Name": "something", + "Stage": "dev", + }, + }, + wantMapped: false, + }, + { + name: "name doesn't match prefix", + finding: &Finding{ + ResourceTags: map[string]string{ + "Name": "unrelated-resource-name", + "Namespace": "ins", + "Tenant": "plat", + "Environment": "use2", + "Stage": "dev", + }, + }, + wantMapped: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mapping := m.mapByContextTags(tt.finding) + if !tt.wantMapped { + if mapping != nil { + assert.False(t, mapping.Mapped) + } + return + } + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, tt.wantComponent, mapping.Component) + assert.Equal(t, tt.wantStack, mapping.Stack) + assert.Equal(t, ConfidenceHigh, mapping.Confidence) + assert.Equal(t, "context-tags", mapping.Method) + }) + } +} + +func TestMapByAccountID(t *testing.T) { + atmosConfig := &schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{ + AccountMap: map[string]string{ + "452379801773": "plat-prod", + "344349181611": "plat-dev", + }, + }, + }, + } + m := NewComponentMapper(atmosConfig, nil).(*dualPathMapper) + + t.Run("account-level finding with known account", func(t *testing.T) { + finding := &Finding{ + ResourceARN: "AWS::::Account:452379801773", + AccountID: "452379801773", + } + mapping := m.mapByAccountID(context.Background(), finding) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "plat-prod", mapping.Stack) + assert.Equal(t, "account", mapping.Component) + assert.Equal(t, "account-map", mapping.Method) + }) + + t.Run("account-level finding with unknown account", func(t *testing.T) { + finding := &Finding{ + ResourceARN: "AWS::::Account:999999999999", + AccountID: "999999999999", + } + mapping := m.mapByAccountID(context.Background(), finding) + require.NotNil(t, mapping) + assert.False(t, mapping.Mapped) + assert.Equal(t, "999999999999", mapping.Stack) + assert.Equal(t, "account-level", mapping.Method) + }) + + t.Run("non-account finding returns nil", func(t *testing.T) { + finding := &Finding{ + ResourceARN: "arn:aws:s3:::my-bucket", + } + mapping := m.mapByAccountID(context.Background(), finding) + assert.Nil(t, mapping) + }) +} + +func TestMapByECRRepo(t *testing.T) { + atmosConfig := &schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{ + AccountMap: map[string]string{ + "982674173972": "core-artifacts", + "101071483060": "core-auto", + }, + }, + }, + } + m := NewComponentMapper(atmosConfig, nil).(*dualPathMapper) + + t.Run("ECR with sha256 and account map", func(t *testing.T) { + finding := &Finding{ + ResourceARN: "arn:aws:ecr:us-east-2:982674173972:repository/inspatial/example-app-on-ecs/sha256:abc123", + AccountID: "982674173972", + } + mapping := m.mapByECRRepo(context.Background(), finding) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "example-app-on-ecs", mapping.Component) + assert.Equal(t, "core-artifacts", mapping.Stack) + assert.Equal(t, "ecr-repo", mapping.Method) + }) + + t.Run("ECR without account map", func(t *testing.T) { + finding := &Finding{ + ResourceARN: "arn:aws:ecr:us-east-2:999:repository/myorg/myapp", + AccountID: "999", + } + mapping := m.mapByECRRepo(context.Background(), finding) + require.NotNil(t, mapping) + assert.Equal(t, "myapp", mapping.Component) + assert.Empty(t, mapping.Stack) // Unknown account. + }) + + t.Run("non-ECR resource returns nil", func(t *testing.T) { + finding := &Finding{ + ResourceARN: "arn:aws:s3:::my-bucket", + } + mapping := m.mapByECRRepo(context.Background(), finding) + assert.Nil(t, mapping) + }) +} + +func TestGroupByTitle(t *testing.T) { + findings := []Finding{ + {Title: "AWS Config should be enabled", AccountID: "111"}, + {Title: "AWS Config should be enabled", AccountID: "222"}, + {Title: "AWS Config should be enabled", AccountID: "333"}, + {Title: "S3 bucket public", AccountID: "111"}, + {Title: "S3 bucket public", AccountID: "222"}, + } + groups := groupByTitle(findings) + require.Len(t, groups, 2) + assert.Len(t, groups[0], 3) + assert.Equal(t, "AWS Config should be enabled", groups[0][0].Title) + assert.Len(t, groups[1], 2) + assert.Equal(t, "S3 bucket public", groups[1][0].Title) +} + +func TestGroupByTitle_NoDuplicates(t *testing.T) { + findings := []Finding{ + {Title: "A"}, + {Title: "B"}, + {Title: "C"}, + } + groups := groupByTitle(findings) + require.Len(t, groups, 3) + + gotTitles := make([]string, 0, len(groups)) + for _, group := range groups { + require.Len(t, group, 1) + gotTitles = append(gotTitles, group[0].Title) + } + assert.ElementsMatch(t, []string{"A", "B", "C"}, gotTitles) +} + +func TestMapByAccountID_EmptyAccountID(t *testing.T) { + // When the resource ARN has "AWS::::Account:" but the extracted ID is empty. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + accountMap: map[string]string{"123": "prod"}, + } + finding := &Finding{ + ResourceARN: "AWS::::Account:", + } + mapping := m.mapByAccountID(context.Background(), finding) + assert.Nil(t, mapping, "empty account ID should return nil") +} + +func TestMapByAccountID_FallbackToFindingAccountID(t *testing.T) { + // When the ARN account ID doesn't match but finding.AccountID does. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + accountMap: map[string]string{"999": "special-account"}, + } + finding := &Finding{ + ResourceARN: "AWS::::Account:888", // 888 not in map. + AccountID: "999", // 999 is in map. + } + mapping := m.mapByAccountID(context.Background(), finding) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "special-account", mapping.Stack) + assert.Equal(t, "account", mapping.Component) + assert.Equal(t, "account-map", mapping.Method) +} + +func TestMapByAccountID_NilAccountMap(t *testing.T) { + // When accountMap is nil, should return unmapped for account-level findings. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + accountMap: nil, + } + finding := &Finding{ + ResourceARN: "AWS::::Account:123456", + AccountID: "123456", + } + mapping := m.mapByAccountID(context.Background(), finding) + require.NotNil(t, mapping) + assert.False(t, mapping.Mapped) + assert.Equal(t, "123456", mapping.Stack) + assert.Equal(t, "account-level", mapping.Method) +} + +func TestMapByECRRepo_EmptyComponent(t *testing.T) { + // When the repo path ends with /, the component would be empty. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + } + finding := &Finding{ + ResourceARN: "arn:aws:ecr:us-east-1:123:repository/", + } + mapping := m.mapByECRRepo(context.Background(), finding) + assert.Nil(t, mapping, "empty component from ECR path should return nil") +} + +func TestMapByNamingConvention_EmptyARN(t *testing.T) { + // Empty ARN should return nil. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + } + finding := &Finding{ResourceARN: ""} + mapping := m.mapByNamingConvention(finding) + assert.Nil(t, mapping) +} + +func TestMapByResourceType_WithAccountMap(t *testing.T) { + // Resource type mapping should resolve stack from account map. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + accountMap: map[string]string{"111222333444": "plat-prod"}, + } + finding := &Finding{ + ResourceType: "AwsEc2Vpc", + AccountID: "111222333444", + } + mapping := m.mapByResourceType(context.Background(), finding) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "vpc", mapping.Component) + assert.Equal(t, "plat-prod", mapping.Stack) + assert.Equal(t, "resource-type", mapping.Method) +} + +func TestMapByResourceType_NoAccountMap(t *testing.T) { + // When accountMap is nil, stack should be empty. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + accountMap: nil, + } + finding := &Finding{ + ResourceType: "AwsS3Bucket", + AccountID: "123", + } + mapping := m.mapByResourceType(context.Background(), finding) + require.NotNil(t, mapping) + assert.True(t, mapping.Mapped) + assert.Equal(t, "s3-bucket", mapping.Component) + assert.Empty(t, mapping.Stack) +} + +func TestMapByContextTags_EmptyComponentAfterPrefix(t *testing.T) { + // When the name exactly equals the prefix (no remaining component), should return nil. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + } + finding := &Finding{ + ResourceTags: map[string]string{ + "Name": "plat-use2-prod-", + "Tenant": "plat", + "Environment": "use2", + "Stage": "prod", + }, + } + // The prefix would be "plat-use2-prod-", and stripping it leaves empty string. + mapping := m.mapByContextTags(finding) + assert.Nil(t, mapping, "empty component after prefix strip should return nil") +} + +func TestMapByContextTags_MissingStage(t *testing.T) { + // Without Stage, should return nil. + m := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + } + finding := &Finding{ + ResourceTags: map[string]string{ + "Name": "something", + "Tenant": "plat", + }, + } + mapping := m.mapByContextTags(finding) + assert.Nil(t, mapping) +} + +func TestMapByTags_EmptyARN(t *testing.T) { + // Empty ARN should return nil without error. + mapper := &dualPathMapper{ + atmosConfig: &schema.AtmosConfiguration{}, + tagMapping: schema.DefaultAWSSecurityTagMapping(), + clients: newAWSClientCache(), + tagCache: map[string]*tagLookupResult{}, + } + finding := &Finding{ResourceARN: ""} + mapping, err := mapper.mapByTags(context.Background(), finding) + require.NoError(t, err) + assert.Nil(t, mapping) +} + +func TestMatchTags_BothEmpty(t *testing.T) { + // When tags are present but neither stack nor component tag exists. + mapper := &dualPathMapper{ + tagMapping: schema.AWSSecurityTagMapping{ + StackTag: "atmos:stack", + ComponentTag: "atmos:component", + }, + } + result := mapper.matchTags(map[string]string{"Name": "test", "Env": "prod"}, "test-method") + assert.Nil(t, result, "should return nil when neither stack nor component tag found") +} + +func TestMatchTags_StackOnlyNoComponent(t *testing.T) { + // When only stack tag is present, Mapped should be false (component is empty). + mapper := &dualPathMapper{ + tagMapping: schema.AWSSecurityTagMapping{ + StackTag: "atmos:stack", + ComponentTag: "atmos:component", + }, + } + result := mapper.matchTags(map[string]string{"atmos:stack": "prod-ue1"}, "test-method") + require.NotNil(t, result) + assert.False(t, result.Mapped, "mapped should be false when component is empty") + assert.Equal(t, "prod-ue1", result.Stack) + assert.Empty(t, result.Component) +} + +func TestExtractResourceName_ColonSeparated(t *testing.T) { + // Resource name extracted from colon-separated ARN (no slash). + name := extractResourceName("arn:aws:iam::123456789012:user:my-user") + assert.Equal(t, "my-user", name) +} + +func TestExtractResourceName_ShortARN(t *testing.T) { + // ARN with too few segments should return empty. + name := extractResourceName("arn:aws:s3") + assert.Equal(t, "", name) +} + +func TestTruncateMiddle(t *testing.T) { + assert.Equal(t, "short", truncateMiddle("short")) + long := "arn:aws:ecr:us-east-2:982674173972:repository/inspatial/example-app-on-ecs/sha256:876f27531c79965bc6e3a5492e2ccdd3ca4532b0ebef80f2b5c2063e2db712c7" + truncated := truncateMiddle(long) + assert.LessOrEqual(t, len(truncated), maxARNDisplayLen) + assert.Contains(t, truncated, "...") +} diff --git a/pkg/aws/security/finding_fetcher.go b/pkg/aws/security/finding_fetcher.go new file mode 100644 index 0000000000..b62fb1765a --- /dev/null +++ b/pkg/aws/security/finding_fetcher.go @@ -0,0 +1,605 @@ +package security + +import ( + "context" + "fmt" + "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/securityhub" + shtypes "github.com/aws/aws-sdk-go-v2/service/securityhub/types" + + errUtils "github.com/cloudposse/atmos/errors" + log "github.com/cloudposse/atmos/pkg/logger" + "github.com/cloudposse/atmos/pkg/perf" + "github.com/cloudposse/atmos/pkg/schema" +) + +// FindingFetcher retrieves security findings from AWS security services. +type FindingFetcher interface { + // FetchFindings retrieves findings matching the given options. + FetchFindings(ctx context.Context, opts *QueryOptions) ([]Finding, error) + + // FetchComplianceStatus retrieves compliance status for a specific framework. + FetchComplianceStatus(ctx context.Context, framework string, stack string) (*ComplianceReport, error) +} + +// NewFindingFetcher creates a FindingFetcher based on the configured security sources. +// If authCtx is non-nil, AWS clients will use Atmos Auth credentials. +func NewFindingFetcher(atmosConfig *schema.AtmosConfiguration, authCtx *schema.AWSAuthContext) FindingFetcher { + defer perf.Track(nil, "security.NewFindingFetcher")() + + clients := newAWSClientCache() + if authCtx != nil { + clients.WithAuthContext(authCtx) + } + + return &awsFindingFetcher{ + atmosConfig: atmosConfig, + clients: clients, + cache: NewFindingsCache(), + } +} + +// Security fetcher constants. +const ( + securityHubPageSize = 100 // Max findings per Security Hub GetFindings API call. + complianceMaxFindings = 200 // Default max findings for compliance status. + percentMultiplier = 100 // Ratio-to-percentage multiplier. + arnMinSegments = 5 // Min colon-separated segments in an ARN. +) + +// awsFindingFetcher implements FindingFetcher using AWS security services. +type awsFindingFetcher struct { + atmosConfig *schema.AtmosConfiguration + clients *awsClientCache + cache *findingsCache +} + +// FetchFindings retrieves security findings from Security Hub with the given filters. +// Results are cached by query options to reduce redundant AWS API calls. +func (f *awsFindingFetcher) FetchFindings(ctx context.Context, opts *QueryOptions) ([]Finding, error) { + defer perf.Track(nil, "security.awsFindingFetcher.FetchFindings")() + + // Check cache first. + if cached, hit := f.cache.GetFindings(opts); hit { + log.Debug("Returning cached Security Hub findings", "count", len(cached)) + return cached, nil + } + + region := f.resolveRegion(opts.Region) + + client, err := f.clients.getSecurityHubClient(ctx, region) + if err != nil { + return nil, fmt.Errorf("%w: %w", errUtils.ErrAWSSecurityFetchFailed, err) + } + + filters := f.buildFindingFilters(opts) + + log.Debug("Fetching Security Hub findings", + "region", region, + "severity", opts.Severity, + "source", opts.Source, + "max_findings", opts.MaxFindings, + ) + + allFindings, err := f.paginateFindings(ctx, client, filters, opts.MaxFindings) + if err != nil { + return nil, wrapAWSServiceError("GetFindings", err) + } + + log.Debug("Fetched Security Hub findings", "count", len(allFindings)) + + // Store results in cache. + f.cache.SetFindings(opts, allFindings) + + return allFindings, nil +} + +// paginateFindings handles paginated retrieval of findings from Security Hub. +func (f *awsFindingFetcher) paginateFindings( + ctx context.Context, + client SecurityHubAPI, + filters *shtypes.AwsSecurityFindingFilters, + maxFindings int, +) ([]Finding, error) { + pageSize := resolvePageSize(maxFindings) + + var allFindings []Finding + var nextToken *string + + for { + output, err := client.GetFindings(ctx, &securityhub.GetFindingsInput{ + Filters: filters, + MaxResults: aws.Int32(pageSize), + NextToken: nextToken, + }) + if err != nil { + return nil, fmt.Errorf("%w: %w", errUtils.ErrAWSSecurityFetchFailed, err) + } + + for i := range output.Findings { + allFindings = append(allFindings, normalizeSecurityHubFinding(&output.Findings[i])) + } + + if output.NextToken == nil || reachedLimit(allFindings, maxFindings) { + break + } + nextToken = output.NextToken + } + + return trimToLimit(allFindings, maxFindings), nil +} + +// resolvePageSize returns the appropriate page size for Security Hub queries. +func resolvePageSize(maxFindings int) int32 { + pageSize := int32(securityHubPageSize) + if maxFindings > 0 && maxFindings < securityHubPageSize { + pageSize = int32(min(maxFindings, securityHubPageSize)) + } + return pageSize +} + +// reachedLimit checks if enough findings have been collected. +func reachedLimit(findings []Finding, maxFindings int) bool { + return maxFindings > 0 && len(findings) >= maxFindings +} + +// trimToLimit trims findings to the max limit if exceeded. +func trimToLimit(findings []Finding, maxFindings int) []Finding { + if maxFindings > 0 && len(findings) > maxFindings { + return findings[:maxFindings] + } + return findings +} + +// FetchComplianceStatus retrieves compliance status for a specific framework from Security Hub. +// Results are cached by framework and stack to reduce redundant AWS API calls. +func (f *awsFindingFetcher) FetchComplianceStatus(ctx context.Context, framework string, stack string) (*ComplianceReport, error) { + defer perf.Track(nil, "security.awsFindingFetcher.FetchComplianceStatus")() + + // Check cache first. + if cached, hit := f.cache.GetCompliance(framework, stack); hit { + log.Debug("Returning cached compliance report", "framework", framework, "stack", stack) + return cached, nil + } + + region := f.resolveRegion("") + + client, err := f.clients.getSecurityHubClient(ctx, region) + if err != nil { + return nil, fmt.Errorf("%w: %w", errUtils.ErrAWSSecurityFetchFailed, err) + } + + // Find the enabled standard ARN matching the framework. + standardARN, title, err := f.resolveFrameworkStandard(ctx, client, framework) + if err != nil { + return nil, err + } + if standardARN == "" { + return nil, nil + } + + // Fetch findings for this framework's compliance standard. + opts := QueryOptions{ + Framework: framework, + MaxFindings: complianceMaxFindings, + Severity: []Severity{SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow, SeverityInformational}, + } + if stack != "" { + opts.Stack = stack + } + + findings, err := f.FetchFindings(ctx, &opts) + if err != nil { + return nil, err + } + + // Count total controls for this standard to compute accurate compliance score. + totalControls, err := f.countTotalControls(ctx, client, standardARN) + if err != nil { + log.Debug("Failed to count total controls, falling back to failing count", "error", err) + totalControls = 0 + } + + // Build compliance report from findings. + report := buildComplianceReport(findings, framework, title, stack, totalControls) + + // Store report in cache. + f.cache.SetCompliance(framework, stack, report) + + return report, nil +} + +// resolveRegion returns the region to use, falling back to config and then a default. +func (f *awsFindingFetcher) resolveRegion(override string) string { + if override != "" { + return override + } + // Fall back to config region, then auth context region, then default. + if f.atmosConfig.AWS.Security.Region != "" { + return f.atmosConfig.AWS.Security.Region + } + if f.clients != nil && f.clients.authContext != nil && f.clients.authContext.Region != "" { + return f.clients.authContext.Region + } + return "us-east-1" +} + +// buildFindingFilters constructs Security Hub finding filters from query options. +func (f *awsFindingFetcher) buildFindingFilters(opts *QueryOptions) *shtypes.AwsSecurityFindingFilters { + filters := &shtypes.AwsSecurityFindingFilters{ + // Only active findings (not archived/suppressed). + WorkflowStatus: []shtypes.StringFilter{ + { + Value: aws.String(string(shtypes.WorkflowStatusNew)), + Comparison: shtypes.StringFilterComparisonEquals, + }, + { + Value: aws.String(string(shtypes.WorkflowStatusNotified)), + Comparison: shtypes.StringFilterComparisonEquals, + }, + }, + RecordState: []shtypes.StringFilter{ + { + Value: aws.String(string(shtypes.RecordStateActive)), + Comparison: shtypes.StringFilterComparisonEquals, + }, + }, + } + + // Severity filter. + if len(opts.Severity) > 0 { + for _, sev := range opts.Severity { + filters.SeverityLabel = append(filters.SeverityLabel, shtypes.StringFilter{ + Value: aws.String(string(sev)), + Comparison: shtypes.StringFilterComparisonEquals, + }) + } + } + + // Source filter — map Source enum to product ARN prefixes. + if opts.Source != "" && opts.Source != SourceAll { + productFilters := sourceToProductFilters(opts.Source) + filters.ProductName = productFilters + } + + // Framework filter — use compliance standard. + // Security Hub standard IDs include a type prefix like "ruleset/" or "standards/" + // (e.g., "ruleset/cis-aws-foundations-benchmark/v/1.2.0"). We use PREFIX matching + // with the full path including the type prefix. + if opts.Framework != "" { + standardIDs := frameworkToStandardIDs(opts.Framework) + for _, id := range standardIDs { + filters.ComplianceAssociatedStandardsId = append( + filters.ComplianceAssociatedStandardsId, + shtypes.StringFilter{ + Value: aws.String(id), + Comparison: shtypes.StringFilterComparisonPrefix, + }, + ) + } + } + + return filters +} + +// resolveFrameworkStandard finds the enabled Security Hub standard matching a framework name. +func (f *awsFindingFetcher) resolveFrameworkStandard(ctx context.Context, client SecurityHubAPI, framework string) (string, string, error) { + defer perf.Track(nil, "security.awsFindingFetcher.resolveFrameworkStandard")() + + output, err := client.GetEnabledStandards(ctx, &securityhub.GetEnabledStandardsInput{}) + if err != nil { + return "", "", wrapAWSServiceError("GetEnabledStandards", err) + } + + targetID := frameworkToStandardID(framework) + if targetID == "" { + return "", "", nil + } + + for _, std := range output.StandardsSubscriptions { + if std.StandardsArn != nil && strings.Contains(*std.StandardsArn, targetID) { + title := frameworkToTitle(framework) + return *std.StandardsArn, title, nil + } + } + + return "", "", nil +} + +// normalizeSecurityHubFinding converts an AWS Security Hub finding to our normalized Finding type. +func normalizeSecurityHubFinding(f *shtypes.AwsSecurityFinding) Finding { + finding := Finding{ + ID: aws.ToString(f.Id), + Title: aws.ToString(f.Title), + Description: aws.ToString(f.Description), + Source: detectSource(f), + AccountID: aws.ToString(f.AwsAccountId), + } + + // Severity. + if f.Severity != nil { + finding.Severity = normalizeSeverityLabel(f.Severity.Label) + } + + // Resource info (use first resource if multiple). + if len(f.Resources) > 0 { + res := f.Resources[0] + finding.ResourceARN = aws.ToString(res.Id) + finding.ResourceType = aws.ToString(res.Type) + finding.Region = aws.ToString(res.Region) + // Extract resource tags directly from the finding — no separate API call needed. + if len(res.Tags) > 0 { + finding.ResourceTags = res.Tags + } + } + + // Compliance standard and control ID. + if f.Compliance != nil { + if len(f.Compliance.AssociatedStandards) > 0 { + finding.ComplianceStandard = aws.ToString(f.Compliance.AssociatedStandards[0].StandardsId) + } + finding.SecurityControlID = aws.ToString(f.Compliance.SecurityControlId) + } + + // Timestamps (Security Hub returns ISO 8601 strings). + if f.CreatedAt != nil { + if t, err := time.Parse(time.RFC3339, *f.CreatedAt); err == nil { + finding.CreatedAt = t + } + } + if f.UpdatedAt != nil { + if t, err := time.Parse(time.RFC3339, *f.UpdatedAt); err == nil { + finding.UpdatedAt = t + } + } + + return finding +} + +// detectSource determines the AWS service that produced a Security Hub finding. +func detectSource(f *shtypes.AwsSecurityFinding) Source { + productName := strings.ToLower(aws.ToString(f.ProductName)) + + switch { + case strings.Contains(productName, "security hub"): + return SourceSecurityHub + case strings.Contains(productName, "config"): + return SourceConfig + case strings.Contains(productName, "inspector"): + return SourceInspector + case strings.Contains(productName, "guardduty"): + return SourceGuardDuty + case strings.Contains(productName, "macie"): + return SourceMacie + case strings.Contains(productName, "access analyzer"): + return SourceAccessAnalyzer + default: + return SourceSecurityHub + } +} + +// normalizeSeverityLabel converts AWS severity label to our Severity type. +func normalizeSeverityLabel(label shtypes.SeverityLabel) Severity { + switch label { + case shtypes.SeverityLabelCritical: + return SeverityCritical + case shtypes.SeverityLabelHigh: + return SeverityHigh + case shtypes.SeverityLabelMedium: + return SeverityMedium + case shtypes.SeverityLabelLow: + return SeverityLow + case shtypes.SeverityLabelInformational: + return SeverityInformational + default: + return SeverityInformational + } +} + +// sourceToProductFilters returns Security Hub product name filters for a source. +func sourceToProductFilters(source Source) []shtypes.StringFilter { + productNames := map[Source]string{ + SourceSecurityHub: "Security Hub", + SourceConfig: "Config", + SourceInspector: "Inspector", + SourceGuardDuty: "GuardDuty", + SourceMacie: "Macie", + SourceAccessAnalyzer: "Access Analyzer", + } + + if name, ok := productNames[source]; ok { + return []shtypes.StringFilter{ + { + Value: aws.String(name), + Comparison: shtypes.StringFilterComparisonEquals, + }, + } + } + return nil +} + +// Framework name constants used across mapping, filtering, and display functions. +const ( + frameworkCISAWS = "cis-aws" + frameworkPCIDSS = "pci-dss" + frameworkNIST = "nist" + frameworkSOC2 = "soc2" + frameworkHIPAA = "hipaa" +) + +// frameworkToStandardID maps framework names to Security Hub standard ID prefixes. +// Used by resolveFrameworkStandard for ARN matching (no type prefix needed). +func frameworkToStandardID(framework string) string { + standards := map[string]string{ + frameworkCISAWS: "cis-aws-foundations-benchmark", + frameworkPCIDSS: frameworkPCIDSS, + frameworkNIST: "nist-800-53", + frameworkSOC2: frameworkSOC2, + frameworkHIPAA: frameworkHIPAA, + } + return standards[strings.ToLower(framework)] +} + +// frameworkToStandardIDs maps framework names to full Security Hub standard ID prefixes +// including the type prefix (ruleset/ or standards/). Some frameworks appear under both +// prefixes, so multiple entries are returned for OR matching. +func frameworkToStandardIDs(framework string) []string { + standards := map[string][]string{ + frameworkCISAWS: {"ruleset/cis-aws-foundations-benchmark", "standards/cis-aws-foundations-benchmark"}, + frameworkPCIDSS: {"standards/pci-dss"}, + frameworkNIST: {"standards/nist-800-53"}, + frameworkSOC2: {"standards/soc2"}, + frameworkHIPAA: {"standards/hipaa"}, + } + return standards[strings.ToLower(framework)] +} + +// frameworkToTitle returns a human-readable title for a compliance framework. +func frameworkToTitle(framework string) string { + titles := map[string]string{ + frameworkCISAWS: "CIS AWS Foundations Benchmark", + frameworkPCIDSS: "PCI DSS", + frameworkNIST: "NIST 800-53", + frameworkSOC2: "SOC 2", + frameworkHIPAA: "HIPAA", + } + if title, ok := titles[strings.ToLower(framework)]; ok { + return title + } + return framework +} + +// controlsPageSize is the max results per ListSecurityControlDefinitions API call. +const controlsPageSize = 100 + +// countTotalControls paginates through ListSecurityControlDefinitions to count all controls +// for a standard. Uses the standards ARN (not subscription ARN) which works in delegated admin mode. +func (f *awsFindingFetcher) countTotalControls(ctx context.Context, client SecurityHubAPI, standardsARN string) (int, error) { + defer perf.Track(nil, "security.awsFindingFetcher.countTotalControls")() + + var total int + var nextToken *string + + for { + output, err := client.ListSecurityControlDefinitions(ctx, &securityhub.ListSecurityControlDefinitionsInput{ + StandardsArn: &standardsARN, + MaxResults: aws.Int32(controlsPageSize), + NextToken: nextToken, + }) + if err != nil { + return 0, fmt.Errorf("%w: ListSecurityControlDefinitions: %w", errUtils.ErrAWSSecurityFetchFailed, err) + } + + total += len(output.SecurityControlDefinitions) + + if output.NextToken == nil { + break + } + nextToken = output.NextToken + } + + return total, nil +} + +// buildComplianceReport constructs a ComplianceReport from Security Hub findings. +func buildComplianceReport(findings []Finding, framework, title, stack string, totalControls int) *ComplianceReport { + report := &ComplianceReport{ + GeneratedAt: time.Now().UTC(), + Stack: stack, + Framework: framework, + FrameworkTitle: title, + } + + // Deduplicate by security control ID (e.g., "EC2.18", "IAM.4"). + // SecurityControlID is per-control; ComplianceStandard is per-framework and + // would collapse multiple failing controls under the same framework. + controlMap := make(map[string]*ComplianceControl) + for i := range findings { + f := &findings[i] + controlID := f.SecurityControlID + if controlID == "" { + controlID = f.ComplianceStandard + } + if controlID == "" { + controlID = f.ID + } + if _, exists := controlMap[controlID]; !exists { + controlMap[controlID] = &ComplianceControl{ + ControlID: controlID, + Title: f.Title, + Severity: f.Severity, + } + } + } + + // All fetched findings are failing controls. + for _, ctrl := range controlMap { + report.FailingDetails = append(report.FailingDetails, *ctrl) + } + + report.FailingControls = len(report.FailingDetails) + + // Use the actual total from DescribeStandardsControls when available. + // Fall back to failing count if the API total is unavailable or less than failing. + if totalControls >= report.FailingControls { + report.TotalControls = totalControls + } else { + report.TotalControls = report.FailingControls + } + + report.PassingControls = report.TotalControls - report.FailingControls + if report.TotalControls > 0 { + report.ScorePercent = float64(report.PassingControls) / float64(report.TotalControls) * percentMultiplier + } + + return report +} + +// wrapAWSServiceError detects common AWS service errors and returns user-friendly messages +// with actionable hints. Falls back to generic error wrapping for unknown errors. +func wrapAWSServiceError(operation string, err error) error { + if err == nil { + return nil + } + + msg := err.Error() + + // Security Hub not enabled. + if strings.Contains(msg, "InvalidAccessException") || strings.Contains(msg, "not subscribed") || + strings.Contains(msg, "Security Hub is not enabled") { + return errUtils.Build(errUtils.ErrAWSSecurityFetchFailed). + WithCause(err). + WithExplanation("AWS Security Hub is not enabled in this account/region"). + WithHint("Enable Security Hub: `aws securityhub enable-security-hub --region `"). + WithHint("Or deploy the `aws-security-hub` component via Atmos"). + WithHint("See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html"). + Err() + } + + // Access denied / insufficient permissions. + if strings.Contains(msg, "AccessDeniedException") || strings.Contains(msg, "is not authorized") || + strings.Contains(msg, "Access Denied") { + return errUtils.Build(errUtils.ErrAWSSecurityFetchFailed). + WithCause(err). + WithExplanationf("Insufficient permissions for %s", operation). + WithHint("Ensure the IAM role has `securityhub:GetFindings`, `securityhub:GetEnabledStandards`, and `securityhub:ListSecurityControlDefinitions` permissions"). + WithHint("If using delegated admin, verify the `identity` in `aws.security` targets the correct account"). + Err() + } + + // Invalid region or endpoint. + if strings.Contains(msg, "UnrecognizedClientException") || strings.Contains(msg, "Could not connect") { + return errUtils.Build(errUtils.ErrAWSSecurityFetchFailed). + WithCause(err). + WithExplanation("Cannot connect to AWS Security Hub in the configured region"). + WithHint("Check `aws.security.region` in atmos.yaml — it should be the Security Hub aggregation region"). + WithHint("Verify the region with: `aws securityhub describe-hub --region `"). + Err() + } + + // Generic fallback. + return fmt.Errorf("%w: %s: %w", errUtils.ErrAWSSecurityFetchFailed, operation, err) +} diff --git a/pkg/aws/security/finding_fetcher_test.go b/pkg/aws/security/finding_fetcher_test.go new file mode 100644 index 0000000000..00b1ae5d38 --- /dev/null +++ b/pkg/aws/security/finding_fetcher_test.go @@ -0,0 +1,884 @@ +package security + +import ( + "context" + "fmt" + "testing" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/securityhub" + shtypes "github.com/aws/aws-sdk-go-v2/service/securityhub/types" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/schema" +) + +// mockSecurityHubClient implements SecurityHubAPI for testing. +type mockSecurityHubClient struct { + findings []shtypes.AwsSecurityFinding + standards []shtypes.StandardsSubscription + controlDefinitions []shtypes.SecurityControlDefinition + err error +} + +func (m *mockSecurityHubClient) GetFindings(_ context.Context, _ *securityhub.GetFindingsInput, _ ...func(*securityhub.Options)) (*securityhub.GetFindingsOutput, error) { + if m.err != nil { + return nil, m.err + } + return &securityhub.GetFindingsOutput{ + Findings: m.findings, + }, nil +} + +func (m *mockSecurityHubClient) GetEnabledStandards(_ context.Context, _ *securityhub.GetEnabledStandardsInput, _ ...func(*securityhub.Options)) (*securityhub.GetEnabledStandardsOutput, error) { + if m.err != nil { + return nil, m.err + } + return &securityhub.GetEnabledStandardsOutput{ + StandardsSubscriptions: m.standards, + }, nil +} + +func (m *mockSecurityHubClient) ListSecurityControlDefinitions(_ context.Context, _ *securityhub.ListSecurityControlDefinitionsInput, _ ...func(*securityhub.Options)) (*securityhub.ListSecurityControlDefinitionsOutput, error) { + if m.err != nil { + return nil, m.err + } + return &securityhub.ListSecurityControlDefinitionsOutput{ + SecurityControlDefinitions: m.controlDefinitions, + }, nil +} + +func TestNormalizeSecurityHubFinding(t *testing.T) { + tests := []struct { + name string + input shtypes.AwsSecurityFinding + wantID string + wantSev Severity + wantSrc Source + wantARN string + wantType string + }{ + { + name: "critical finding from Security Hub", + input: shtypes.AwsSecurityFinding{ + Id: aws.String("arn:aws:securityhub:us-east-1:123:finding/abc"), + Title: aws.String("S3 Bucket Public Access"), + Description: aws.String("S3 bucket has public access enabled"), + ProductName: aws.String("Security Hub"), + Severity: &shtypes.Severity{ + Label: shtypes.SeverityLabelCritical, + }, + AwsAccountId: aws.String("123456789012"), + Resources: []shtypes.Resource{ + { + Id: aws.String("arn:aws:s3:::my-public-bucket"), + Type: aws.String("AwsS3Bucket"), + Region: aws.String("us-east-1"), + }, + }, + CreatedAt: aws.String("2026-03-01T10:00:00Z"), + UpdatedAt: aws.String("2026-03-09T12:00:00Z"), + }, + wantID: "arn:aws:securityhub:us-east-1:123:finding/abc", + wantSev: SeverityCritical, + wantSrc: SourceSecurityHub, + wantARN: "arn:aws:s3:::my-public-bucket", + wantType: "AwsS3Bucket", + }, + { + name: "GuardDuty finding", + input: shtypes.AwsSecurityFinding{ + Id: aws.String("gd-finding-1"), + Title: aws.String("Unusual API Activity"), + ProductName: aws.String("GuardDuty"), + Severity: &shtypes.Severity{ + Label: shtypes.SeverityLabelHigh, + }, + Resources: []shtypes.Resource{ + { + Id: aws.String("arn:aws:ec2:us-west-2:123:instance/i-12345"), + Type: aws.String("AwsEc2Instance"), + Region: aws.String("us-west-2"), + }, + }, + }, + wantID: "gd-finding-1", + wantSev: SeverityHigh, + wantSrc: SourceGuardDuty, + wantARN: "arn:aws:ec2:us-west-2:123:instance/i-12345", + wantType: "AwsEc2Instance", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := normalizeSecurityHubFinding(&tt.input) + assert.Equal(t, tt.wantID, result.ID) + assert.Equal(t, tt.wantSev, result.Severity) + assert.Equal(t, tt.wantSrc, result.Source) + assert.Equal(t, tt.wantARN, result.ResourceARN) + assert.Equal(t, tt.wantType, result.ResourceType) + }) + } +} + +func TestFetchFindings_WithMock(t *testing.T) { + mock := &mockSecurityHubClient{ + findings: []shtypes.AwsSecurityFinding{ + { + Id: aws.String("finding-1"), + Title: aws.String("Test Finding 1"), + ProductName: aws.String("Security Hub"), + Severity: &shtypes.Severity{Label: shtypes.SeverityLabelHigh}, + AwsAccountId: aws.String("123456789012"), + Resources: []shtypes.Resource{ + { + Id: aws.String("arn:aws:s3:::test-bucket"), + Type: aws.String("AwsS3Bucket"), + Region: aws.String("us-east-1"), + }, + }, + }, + { + Id: aws.String("finding-2"), + Title: aws.String("Test Finding 2"), + ProductName: aws.String("Inspector"), + Severity: &shtypes.Severity{Label: shtypes.SeverityLabelCritical}, + AwsAccountId: aws.String("123456789012"), + Resources: []shtypes.Resource{ + { + Id: aws.String("arn:aws:ec2:us-east-1:123:instance/i-abc"), + Type: aws.String("AwsEc2Instance"), + Region: aws.String("us-east-1"), + }, + }, + }, + }, + } + + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{}, + clients: newAWSClientCache(), + cache: NewFindingsCache(), + } + // Pre-populate cached client with mock. + fetcher.clients.securityHub["us-east-1"] = mock + + opts := QueryOptions{ + Severity: []Severity{SeverityCritical, SeverityHigh}, + MaxFindings: 50, + } + + findings, err := fetcher.FetchFindings(context.Background(), &opts) + require.NoError(t, err) + assert.Len(t, findings, 2) + assert.Equal(t, "finding-1", findings[0].ID) + assert.Equal(t, SeverityHigh, findings[0].Severity) + assert.Equal(t, SourceSecurityHub, findings[0].Source) + assert.Equal(t, "finding-2", findings[1].ID) + assert.Equal(t, SeverityCritical, findings[1].Severity) + assert.Equal(t, SourceInspector, findings[1].Source) +} + +func TestFetchFindings_MaxLimit(t *testing.T) { + // Create 5 findings. + var findings []shtypes.AwsSecurityFinding + for i := 0; i < 5; i++ { + findings = append(findings, shtypes.AwsSecurityFinding{ + Id: aws.String("finding-" + string(rune('a'+i))), + Title: aws.String("Finding"), + ProductName: aws.String("Security Hub"), + Severity: &shtypes.Severity{Label: shtypes.SeverityLabelHigh}, + Resources: []shtypes.Resource{ + {Id: aws.String("arn:aws:s3:::bucket-" + string(rune('a'+i)))}, + }, + }) + } + + mock := &mockSecurityHubClient{findings: findings} + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{}, + clients: newAWSClientCache(), + cache: NewFindingsCache(), + } + fetcher.clients.securityHub["us-east-1"] = mock + + // Limit to 3. + opts := QueryOptions{MaxFindings: 3} + result, err := fetcher.FetchFindings(context.Background(), &opts) + require.NoError(t, err) + assert.Len(t, result, 3) +} + +func TestDetectSource(t *testing.T) { + tests := []struct { + productName string + want Source + }{ + {"Security Hub", SourceSecurityHub}, + {"AWS Security Hub", SourceSecurityHub}, + {"GuardDuty", SourceGuardDuty}, + {"Amazon Inspector", SourceInspector}, + {"AWS Config", SourceConfig}, + {"Amazon Macie", SourceMacie}, + {"IAM Access Analyzer", SourceAccessAnalyzer}, + {"Unknown Service", SourceSecurityHub}, + } + + for _, tt := range tests { + t.Run(tt.productName, func(t *testing.T) { + finding := &shtypes.AwsSecurityFinding{ + ProductName: aws.String(tt.productName), + } + assert.Equal(t, tt.want, detectSource(finding)) + }) + } +} + +func TestFrameworkToStandardID(t *testing.T) { + tests := []struct { + framework string + want string + }{ + {"cis-aws", "cis-aws-foundations-benchmark"}, + {"pci-dss", "pci-dss"}, + {"nist", "nist-800-53"}, + {"soc2", "soc2"}, + {"hipaa", "hipaa"}, + {"unknown", ""}, + } + + for _, tt := range tests { + t.Run(tt.framework, func(t *testing.T) { + assert.Equal(t, tt.want, frameworkToStandardID(tt.framework)) + }) + } +} + +func TestFetchComplianceStatus_WithMock(t *testing.T) { + // Create 10 mock control definitions to simulate the total standard controls. + var controlDefs []shtypes.SecurityControlDefinition + for i := 0; i < 10; i++ { + controlDefs = append(controlDefs, shtypes.SecurityControlDefinition{ + SecurityControlId: aws.String(fmt.Sprintf("CIS.%d", i+1)), + Title: aws.String(fmt.Sprintf("CIS Control %d", i+1)), + }) + } + + mock := &mockSecurityHubClient{ + findings: []shtypes.AwsSecurityFinding{ + { + Id: aws.String("finding-cis-1"), + Title: aws.String("MFA not enabled"), + ProductName: aws.String("Security Hub"), + Severity: &shtypes.Severity{Label: shtypes.SeverityLabelCritical}, + AwsAccountId: aws.String("123456789012"), + Resources: []shtypes.Resource{ + {Id: aws.String("arn:aws:iam::123:root"), Type: aws.String("AwsIamUser"), Region: aws.String("us-east-1")}, + }, + Compliance: &shtypes.Compliance{ + AssociatedStandards: []shtypes.AssociatedStandard{ + {StandardsId: aws.String("cis-aws-foundations-benchmark/v/1.2.0")}, + }, + }, + }, + }, + standards: []shtypes.StandardsSubscription{ + { + StandardsArn: aws.String("arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.2.0"), + }, + }, + controlDefinitions: controlDefs, + } + + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{}, + clients: newAWSClientCache(), + cache: NewFindingsCache(), + } + fetcher.clients.securityHub["us-east-1"] = mock + + report, err := fetcher.FetchComplianceStatus(context.Background(), "cis-aws", "prod-ue1") + require.NoError(t, err) + require.NotNil(t, report) + assert.Equal(t, "cis-aws", report.Framework) + assert.Equal(t, "CIS AWS Foundations Benchmark", report.FrameworkTitle) + assert.Equal(t, "prod-ue1", report.Stack) + assert.Equal(t, 1, report.FailingControls) + assert.Equal(t, 10, report.TotalControls) + assert.Equal(t, 9, report.PassingControls) + assert.InDelta(t, 90.0, report.ScorePercent, 0.01) +} + +func TestFetchComplianceStatus_UnknownFramework(t *testing.T) { + mock := &mockSecurityHubClient{ + standards: []shtypes.StandardsSubscription{}, + } + + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{}, + clients: newAWSClientCache(), + cache: NewFindingsCache(), + } + fetcher.clients.securityHub["us-east-1"] = mock + + // Unknown framework maps to empty standard ID, returns nil. + report, err := fetcher.FetchComplianceStatus(context.Background(), "unknown-framework", "") + require.NoError(t, err) + assert.Nil(t, report) +} + +func TestFetchComplianceStatus_Cached(t *testing.T) { + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{}, + clients: newAWSClientCache(), + cache: NewFindingsCache(), + } + + // Pre-populate cache. + cachedReport := &ComplianceReport{ + Framework: "pci-dss", + FrameworkTitle: "PCI DSS", + Stack: "prod", + FailingControls: 5, + } + fetcher.cache.SetCompliance("pci-dss", "prod", cachedReport) + + report, err := fetcher.FetchComplianceStatus(context.Background(), "pci-dss", "prod") + require.NoError(t, err) + require.NotNil(t, report) + assert.Equal(t, 5, report.FailingControls) +} + +func TestResolveFrameworkStandard(t *testing.T) { + tests := []struct { + name string + framework string + standards []shtypes.StandardsSubscription + wantARN string + wantTitle string + }{ + { + name: "matching standard found", + framework: "cis-aws", + standards: []shtypes.StandardsSubscription{ + {StandardsArn: aws.String("arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.2.0")}, + {StandardsArn: aws.String("arn:aws:securityhub:::standards/pci-dss/v/3.2.1")}, + }, + wantARN: "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.2.0", + wantTitle: "CIS AWS Foundations Benchmark", + }, + { + name: "no matching standard", + framework: "hipaa", + standards: []shtypes.StandardsSubscription{ + {StandardsArn: aws.String("arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.2.0")}, + }, + wantARN: "", + wantTitle: "", + }, + { + name: "unknown framework", + framework: "nonexistent", + standards: []shtypes.StandardsSubscription{}, + wantARN: "", + wantTitle: "", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mock := &mockSecurityHubClient{standards: tt.standards} + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{}, + clients: newAWSClientCache(), + cache: NewFindingsCache(), + } + + arn, title, err := fetcher.resolveFrameworkStandard(context.Background(), mock, tt.framework) + require.NoError(t, err) + assert.Equal(t, tt.wantARN, arn) + assert.Equal(t, tt.wantTitle, title) + }) + } +} + +func TestBuildFindingFilters(t *testing.T) { + tests := []struct { + name string + opts QueryOptions + wantSevCount int + wantProductCount int + wantFramework bool + }{ + { + name: "no filters except defaults", + opts: QueryOptions{}, + wantSevCount: 0, + wantProductCount: 0, + wantFramework: false, + }, + { + name: "severity filter", + opts: QueryOptions{ + Severity: []Severity{SeverityCritical, SeverityHigh}, + }, + wantSevCount: 2, + wantProductCount: 0, + wantFramework: false, + }, + { + name: "source filter", + opts: QueryOptions{ + Source: SourceGuardDuty, + }, + wantSevCount: 0, + wantProductCount: 1, + wantFramework: false, + }, + { + name: "source all is not filtered", + opts: QueryOptions{ + Source: SourceAll, + }, + wantSevCount: 0, + wantProductCount: 0, + wantFramework: false, + }, + { + name: "framework filter", + opts: QueryOptions{ + Framework: "cis-aws", + }, + wantSevCount: 0, + wantProductCount: 0, + wantFramework: true, + }, + { + name: "all filters combined", + opts: QueryOptions{ + Severity: []Severity{SeverityMedium}, + Source: SourceInspector, + Framework: "pci-dss", + }, + wantSevCount: 1, + wantProductCount: 1, + wantFramework: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + fetcher := &awsFindingFetcher{atmosConfig: &schema.AtmosConfiguration{}} + filters := fetcher.buildFindingFilters(&tt.opts) + + // Always has workflow status and record state. + assert.Len(t, filters.WorkflowStatus, 2) + assert.Len(t, filters.RecordState, 1) + + assert.Len(t, filters.SeverityLabel, tt.wantSevCount) + assert.Len(t, filters.ProductName, tt.wantProductCount) + if tt.wantFramework { + assert.NotEmpty(t, filters.ComplianceAssociatedStandardsId) + } else { + assert.Empty(t, filters.ComplianceAssociatedStandardsId) + } + }) + } +} + +func TestNormalizeSeverityLabel(t *testing.T) { + tests := []struct { + label shtypes.SeverityLabel + want Severity + }{ + {shtypes.SeverityLabelCritical, SeverityCritical}, + {shtypes.SeverityLabelHigh, SeverityHigh}, + {shtypes.SeverityLabelMedium, SeverityMedium}, + {shtypes.SeverityLabelLow, SeverityLow}, + {shtypes.SeverityLabelInformational, SeverityInformational}, + {shtypes.SeverityLabel("UNKNOWN"), SeverityInformational}, + } + + for _, tt := range tests { + t.Run(string(tt.label), func(t *testing.T) { + assert.Equal(t, tt.want, normalizeSeverityLabel(tt.label)) + }) + } +} + +func TestSourceToProductFilters(t *testing.T) { + tests := []struct { + source Source + wantName string + wantCount int + }{ + {SourceSecurityHub, "Security Hub", 1}, + {SourceConfig, "Config", 1}, + {SourceInspector, "Inspector", 1}, + {SourceGuardDuty, "GuardDuty", 1}, + {SourceMacie, "Macie", 1}, + {SourceAccessAnalyzer, "Access Analyzer", 1}, + {SourceAll, "", 0}, + {Source("unknown-source"), "", 0}, + } + + for _, tt := range tests { + t.Run(string(tt.source), func(t *testing.T) { + filters := sourceToProductFilters(tt.source) + assert.Len(t, filters, tt.wantCount) + if tt.wantCount > 0 { + assert.Equal(t, tt.wantName, aws.ToString(filters[0].Value)) + } + }) + } +} + +func TestFrameworkToTitle(t *testing.T) { + tests := []struct { + framework string + want string + }{ + {"cis-aws", "CIS AWS Foundations Benchmark"}, + {"pci-dss", "PCI DSS"}, + {"nist", "NIST 800-53"}, + {"soc2", "SOC 2"}, + {"hipaa", "HIPAA"}, + {"unknown", "unknown"}, + } + + for _, tt := range tests { + t.Run(tt.framework, func(t *testing.T) { + assert.Equal(t, tt.want, frameworkToTitle(tt.framework)) + }) + } +} + +func TestReachedLimit(t *testing.T) { + tests := []struct { + name string + count int + maxFindings int + want bool + }{ + {"no limit set", 10, 0, false}, + {"under limit", 5, 10, false}, + {"at limit", 10, 10, true}, + {"over limit", 15, 10, true}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + findings := make([]Finding, tt.count) + assert.Equal(t, tt.want, reachedLimit(findings, tt.maxFindings)) + }) + } +} + +func TestResolveRegion(t *testing.T) { + t.Run("override wins", func(t *testing.T) { + fetcher := &awsFindingFetcher{atmosConfig: &schema.AtmosConfiguration{}} + assert.Equal(t, "eu-west-1", fetcher.resolveRegion("eu-west-1")) + }) + + t.Run("config region used when no override", func(t *testing.T) { + fetcher := &awsFindingFetcher{atmosConfig: &schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{Region: "us-east-2"}, + }, + }} + assert.Equal(t, "us-east-2", fetcher.resolveRegion("")) + }) + + t.Run("override wins over config", func(t *testing.T) { + fetcher := &awsFindingFetcher{atmosConfig: &schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{Region: "us-east-2"}, + }, + }} + assert.Equal(t, "eu-west-1", fetcher.resolveRegion("eu-west-1")) + }) + + t.Run("falls to default when no config or override", func(t *testing.T) { + fetcher := &awsFindingFetcher{atmosConfig: &schema.AtmosConfiguration{}} + assert.Equal(t, "us-east-1", fetcher.resolveRegion("")) + }) +} + +func TestResolveRegion_AuthContextFallback(t *testing.T) { + // When no override and no config region, should fall back to auth context region. + clients := newAWSClientCache() + clients.authContext = &schema.AWSAuthContext{Region: "ap-southeast-1"} + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{}, + clients: clients, + } + assert.Equal(t, "ap-southeast-1", fetcher.resolveRegion("")) +} + +func TestResolveRegion_ConfigWinsOverAuthContext(t *testing.T) { + // Config region should take precedence over auth context region. + clients := newAWSClientCache() + clients.authContext = &schema.AWSAuthContext{Region: "ap-southeast-1"} + fetcher := &awsFindingFetcher{ + atmosConfig: &schema.AtmosConfiguration{ + AWS: schema.AWSSettings{ + Security: schema.AWSSecuritySettings{Region: "eu-central-1"}, + }, + }, + clients: clients, + } + assert.Equal(t, "eu-central-1", fetcher.resolveRegion("")) +} + +func TestBuildComplianceReport_NoFindings(t *testing.T) { + // Empty findings with a known total should result in 100% compliance. + report := buildComplianceReport(nil, "cis-aws", "CIS AWS", "prod", 50) + assert.Equal(t, 0, report.FailingControls) + assert.Equal(t, 50, report.TotalControls) + assert.Equal(t, 50, report.PassingControls) + assert.InDelta(t, 100.0, report.ScorePercent, 0.01) + assert.Empty(t, report.FailingDetails) +} + +func TestBuildComplianceReport_ZeroTotalControls(t *testing.T) { + // When totalControls is 0 (API unavailable), TotalControls should equal FailingControls. + findings := []Finding{ + {ID: "f1", Title: "Issue 1", Severity: SeverityHigh, SecurityControlID: "EC2.18"}, + {ID: "f2", Title: "Issue 2", Severity: SeverityCritical, SecurityControlID: "IAM.4"}, + } + report := buildComplianceReport(findings, "pci-dss", "PCI DSS", "dev", 0) + assert.Equal(t, 2, report.FailingControls) + assert.Equal(t, 2, report.TotalControls, "should fall back to failing count when total is less") + assert.Equal(t, 0, report.PassingControls) + assert.InDelta(t, 0.0, report.ScorePercent, 0.01) +} + +func TestBuildComplianceReport_DeduplicatesBySecurityControlID(t *testing.T) { + // Multiple findings with same SecurityControlID should be deduplicated. + findings := []Finding{ + {ID: "f1", Title: "EC2 issue A", Severity: SeverityHigh, SecurityControlID: "EC2.18"}, + {ID: "f2", Title: "EC2 issue B", Severity: SeverityHigh, SecurityControlID: "EC2.18"}, + {ID: "f3", Title: "IAM issue", Severity: SeverityCritical, SecurityControlID: "IAM.4"}, + } + report := buildComplianceReport(findings, "cis-aws", "CIS", "prod", 10) + assert.Equal(t, 2, report.FailingControls, "should deduplicate by SecurityControlID") + assert.Len(t, report.FailingDetails, 2) +} + +func TestBuildComplianceReport_FallbackToIDWhenNoControlID(t *testing.T) { + // When SecurityControlID and ComplianceStandard are both empty, should use finding ID. + findings := []Finding{ + {ID: "unique-finding-1", Title: "Issue 1", Severity: SeverityLow}, + {ID: "unique-finding-2", Title: "Issue 2", Severity: SeverityLow}, + } + report := buildComplianceReport(findings, "nist", "NIST 800-53", "", 20) + assert.Equal(t, 2, report.FailingControls) + // Verify the control IDs match the finding IDs. + controlIDs := make(map[string]bool) + for _, ctrl := range report.FailingDetails { + controlIDs[ctrl.ControlID] = true + } + assert.True(t, controlIDs["unique-finding-1"]) + assert.True(t, controlIDs["unique-finding-2"]) +} + +func TestBuildComplianceReport_TimestampSet(t *testing.T) { + // Verify GeneratedAt is set to a non-zero value. + report := buildComplianceReport(nil, "soc2", "SOC 2", "", 10) + assert.False(t, report.GeneratedAt.IsZero()) +} + +func TestResolvePageSize(t *testing.T) { + tests := []struct { + name string + maxFindings int + want int32 + }{ + {"no limit uses default", 0, int32(securityHubPageSize)}, + {"small limit", 10, 10}, + {"exact page size", securityHubPageSize, int32(securityHubPageSize)}, + {"over page size", 500, int32(securityHubPageSize)}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equal(t, tt.want, resolvePageSize(tt.maxFindings)) + }) + } +} + +func TestTrimToLimit(t *testing.T) { + findings := make([]Finding, 10) + for i := range findings { + findings[i].ID = fmt.Sprintf("f%d", i) + } + + t.Run("no limit returns all", func(t *testing.T) { + result := trimToLimit(findings, 0) + assert.Len(t, result, 10) + }) + + t.Run("limit trims", func(t *testing.T) { + result := trimToLimit(findings, 5) + assert.Len(t, result, 5) + assert.Equal(t, "f0", result[0].ID) + assert.Equal(t, "f4", result[4].ID) + }) + + t.Run("limit higher than count returns all", func(t *testing.T) { + result := trimToLimit(findings, 20) + assert.Len(t, result, 10) + }) +} + +func TestFrameworkToStandardIDs(t *testing.T) { + tests := []struct { + framework string + wantLen int + }{ + {"cis-aws", 2}, // Both ruleset and standards prefixes. + {"pci-dss", 1}, + {"nist", 1}, + {"unknown", 0}, + } + for _, tt := range tests { + t.Run(tt.framework, func(t *testing.T) { + result := frameworkToStandardIDs(tt.framework) + assert.Len(t, result, tt.wantLen) + }) + } +} + +func TestNormalizeSecurityHubFinding_WithComplianceAndTags(t *testing.T) { + // Verify compliance fields and resource tags are extracted correctly. + finding := &shtypes.AwsSecurityFinding{ + Id: aws.String("compliance-finding-1"), + Title: aws.String("Control failed"), + ProductName: aws.String("Security Hub"), + Severity: &shtypes.Severity{Label: shtypes.SeverityLabelMedium}, + Resources: []shtypes.Resource{ + { + Id: aws.String("arn:aws:ec2:us-west-2:123:instance/i-abc"), + Type: aws.String("AwsEc2Instance"), + Region: aws.String("us-west-2"), + Tags: map[string]string{ + "atmos:stack": "prod", + "atmos:component": "web", + }, + }, + }, + Compliance: &shtypes.Compliance{ + AssociatedStandards: []shtypes.AssociatedStandard{ + {StandardsId: aws.String("cis-aws-foundations-benchmark/v/1.4.0")}, + }, + SecurityControlId: aws.String("EC2.18"), + }, + } + + result := normalizeSecurityHubFinding(finding) + assert.Equal(t, "cis-aws-foundations-benchmark/v/1.4.0", result.ComplianceStandard) + assert.Equal(t, "EC2.18", result.SecurityControlID) + assert.Equal(t, "us-west-2", result.Region) + require.NotNil(t, result.ResourceTags) + assert.Equal(t, "prod", result.ResourceTags["atmos:stack"]) + assert.Equal(t, "web", result.ResourceTags["atmos:component"]) +} + +func TestNormalizeSecurityHubFinding_NoSeverity(t *testing.T) { + // When severity is nil, should default to empty severity. + finding := &shtypes.AwsSecurityFinding{ + Id: aws.String("no-sev"), + Title: aws.String("No severity"), + ProductName: aws.String("Security Hub"), + } + result := normalizeSecurityHubFinding(finding) + assert.Equal(t, Severity(""), result.Severity) +} + +func TestNormalizeSecurityHubFinding_NoResources(t *testing.T) { + // When no resources are present, resource fields should be empty. + finding := &shtypes.AwsSecurityFinding{ + Id: aws.String("no-res"), + Title: aws.String("No resources"), + ProductName: aws.String("Config"), + Severity: &shtypes.Severity{Label: shtypes.SeverityLabelLow}, + } + result := normalizeSecurityHubFinding(finding) + assert.Empty(t, result.ResourceARN) + assert.Empty(t, result.ResourceType) + assert.Empty(t, result.Region) + assert.Nil(t, result.ResourceTags) +} + +func TestWrapAWSServiceError(t *testing.T) { + t.Run("nil error returns nil", func(t *testing.T) { + assert.Nil(t, wrapAWSServiceError("TestOp", nil)) + }) + + t.Run("security hub not enabled", func(t *testing.T) { + err := wrapAWSServiceError("GetFindings", fmt.Errorf("InvalidAccessException: Security Hub is not enabled")) + require.Error(t, err) + require.ErrorIs(t, err, errUtils.ErrAWSSecurityFetchFailed) + }) + + t.Run("not subscribed", func(t *testing.T) { + err := wrapAWSServiceError("GetFindings", fmt.Errorf("not subscribed to service")) + require.Error(t, err) + require.ErrorIs(t, err, errUtils.ErrAWSSecurityFetchFailed) + }) + + t.Run("access denied", func(t *testing.T) { + err := wrapAWSServiceError("GetFindings", fmt.Errorf("AccessDeniedException: User is not authorized")) + require.Error(t, err) + require.ErrorIs(t, err, errUtils.ErrAWSSecurityFetchFailed) + }) + + t.Run("connection error", func(t *testing.T) { + err := wrapAWSServiceError("GetFindings", fmt.Errorf("UnrecognizedClientException: bad endpoint")) + require.Error(t, err) + require.ErrorIs(t, err, errUtils.ErrAWSSecurityFetchFailed) + }) + + t.Run("generic error preserves message", func(t *testing.T) { + err := wrapAWSServiceError("GetFindings", fmt.Errorf("something unexpected")) + require.Error(t, err) + require.ErrorIs(t, err, errUtils.ErrAWSSecurityFetchFailed) + assert.Contains(t, err.Error(), "something unexpected") + }) +} + +func TestBuildComplianceReport(t *testing.T) { + findings := []Finding{ + { + ID: "ctrl-1", + Title: "MFA not enabled", + Severity: SeverityCritical, + ComplianceStandard: "CIS.1.2", + }, + { + ID: "ctrl-2", + Title: "Root account used", + Severity: SeverityHigh, + ComplianceStandard: "CIS.1.1", + }, + { + ID: "ctrl-3", + Title: "Another finding for CIS.1.2", + Severity: SeverityCritical, + ComplianceStandard: "CIS.1.2", // Duplicate control. + }, + } + + report := buildComplianceReport(findings, "cis-aws", "CIS AWS Foundations Benchmark", "prod-us-east-1", 20) + + assert.Equal(t, "cis-aws", report.Framework) + assert.Equal(t, "CIS AWS Foundations Benchmark", report.FrameworkTitle) + assert.Equal(t, "prod-us-east-1", report.Stack) + assert.Equal(t, 2, report.FailingControls) // Deduplicated by control ID. + assert.Len(t, report.FailingDetails, 2) + assert.Equal(t, 20, report.TotalControls) + assert.Equal(t, 18, report.PassingControls) + assert.InDelta(t, 90.0, report.ScorePercent, 0.01) +} diff --git a/pkg/aws/security/markdown/skill_prompt.md b/pkg/aws/security/markdown/skill_prompt.md new file mode 100644 index 0000000000..b091884103 --- /dev/null +++ b/pkg/aws/security/markdown/skill_prompt.md @@ -0,0 +1,54 @@ +You are analyzing AWS security findings mapped to Atmos infrastructure components. +Provide consistent, structured remediation using these EXACT section headers. +The output is parsed programmatically — do not deviate from the format. + +### Root Cause + +Explain WHY this finding exists. Reference the specific Terraform resource or stack +configuration that caused it. Name the resource type, missing attribute, or misconfigured setting. + +### Steps + +Ordered remediation steps as a numbered list: + +1. First step +2. Second step + +### Code Changes + +Specific Terraform/HCL changes needed. Use the component source code if provided. +Show before/after in fenced code blocks. + +### Stack Changes + +Specific stack YAML changes needed. Reference the exact `vars` key to add or modify. +Show in a fenced YAML code block. + +### Deploy + +The exact atmos command to deploy the fix: + +``` +atmos terraform apply -s +``` + +### Risk + +One word: `low`, `medium`, or `high`. +- low: Read-only change, no service disruption. +- medium: Config change that may cause brief disruption. +- high: Destructive change (resource replacement, data loss risk). + +### References + +List relevant AWS documentation URLs, CIS benchmark controls, or compliance references. +Use a bulleted list. + +--- + +Guidelines: +- Reference the SPECIFIC Terraform resource that needs to change. +- If component source is provided, use ACTUAL variable names from the code. +- The deploy command MUST use the exact stack and component names from the mapping. +- Prefer stack YAML variable changes over direct Terraform code changes (Atmos convention). +- For unmapped findings, provide general remediation but note the component was not identified. diff --git a/pkg/aws/security/report_renderer.go b/pkg/aws/security/report_renderer.go new file mode 100644 index 0000000000..9266a0dcaa --- /dev/null +++ b/pkg/aws/security/report_renderer.go @@ -0,0 +1,522 @@ +package security + +import ( + "encoding/csv" + "encoding/json" + "fmt" + "io" + "strings" + "time" + + "gopkg.in/yaml.v3" + + "github.com/cloudposse/atmos/pkg/perf" +) + +// ReportRenderer renders security and compliance reports in various formats. +type ReportRenderer interface { + // RenderSecurityReport renders a security findings report. + RenderSecurityReport(w io.Writer, report *Report) error + + // RenderComplianceReport renders a compliance posture report. + RenderComplianceReport(w io.Writer, report *ComplianceReport) error +} + +// NewReportRenderer creates a renderer for the given output format. +func NewReportRenderer(format OutputFormat) ReportRenderer { + defer perf.Track(nil, "security.NewReportRenderer")() + switch format { + case FormatJSON: + return &jsonRenderer{} + case FormatYAML: + return &yamlRenderer{} + case FormatCSV: + return &csvRenderer{} + default: + return &markdownRenderer{} + } +} + +// markdownRenderer renders reports as rich Markdown for terminal display. +type markdownRenderer struct{} + +func (r *markdownRenderer) RenderSecurityReport(w io.Writer, report *Report) error { + var sb strings.Builder + + fmt.Fprintf(&sb, "# Security Report: %s\n\n", reportTarget(report.Stack, report.Component)) + fmt.Fprintf(&sb, "**Generated:** %s\n", report.GeneratedAt.Format(time.RFC3339)) + if report.Stack != "" { + fmt.Fprintf(&sb, "**Stack:** %s\n", report.Stack) + } + fmt.Fprintf(&sb, "**Findings:** %d", report.TotalFindings) + if len(report.SeverityCounts) > 0 { + counts := severityCountsString(report.SeverityCounts) + fmt.Fprintf(&sb, " (%s)", counts) + } + sb.WriteString("\n\n---\n\n") + + renderFindingsBySeverity(&sb, report.Findings, report.GroupFindings) + + // Summary table. + sb.WriteString("## Summary\n\n") + sb.WriteString("| Severity | Count | Mapped | Unmapped |\n") + sb.WriteString("|----------|-------|--------|----------|\n") + for _, sev := range []Severity{SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow, SeverityInformational} { + count := report.SeverityCounts[sev] + if count == 0 { + continue + } + mapped, unmapped := countMappedBySeverity(report.Findings, sev) + fmt.Fprintf(&sb, "| %s | %d | %d | %d |\n", sev, count, mapped, unmapped) + } + fmt.Fprintf(&sb, "| **Total** | **%d** | **%d** | **%d** |\n\n", + report.TotalFindings, report.MappedCount, report.UnmappedCount) + + if report.UnmappedCount > 0 { + tagHint := "the configured resource tags" + if report.TagMapping != nil { + tagHint = fmt.Sprintf("`%s` and `%s` tags", report.TagMapping.StackTag, report.TagMapping.ComponentTag) + } + fmt.Fprintf(&sb, "> %d findings could not be mapped to Atmos components. "+ + "These resources may be managed outside of Atmos or may be missing %s.\n\n", + report.UnmappedCount, tagHint) + } + + _, err := io.WriteString(w, sb.String()) + return err +} + +func (r *markdownRenderer) RenderComplianceReport(w io.Writer, report *ComplianceReport) error { + var sb strings.Builder + + fmt.Fprintf(&sb, "# Compliance Report: %s\n\n", report.FrameworkTitle) + fmt.Fprintf(&sb, "**Date:** %s\n", report.GeneratedAt.Format(time.RFC3339)) + if report.Stack != "" { + fmt.Fprintf(&sb, "**Stack:** %s\n", report.Stack) + } + fmt.Fprintf(&sb, "**Framework:** %s\n\n", report.FrameworkTitle) + fmt.Fprintf(&sb, "## Score: %d/%d Controls Passing (%.0f%%)\n\n", + report.PassingControls, report.TotalControls, report.ScorePercent) + + if len(report.FailingDetails) > 0 { + sb.WriteString("### Failing Controls\n\n") + sb.WriteString("| Control | Title | Severity |\n") + sb.WriteString("|---------|-------|----------|\n") + for _, ctrl := range report.FailingDetails { + fmt.Fprintf(&sb, "| %s | %s | %s |\n", + ctrl.ControlID, ctrl.Title, ctrl.Severity) + } + sb.WriteString("\n") + } + + _, err := io.WriteString(w, sb.String()) + return err +} + +// jsonRenderer renders reports as structured JSON. +type jsonRenderer struct{} + +func (r *jsonRenderer) RenderSecurityReport(w io.Writer, report *Report) error { + enc := json.NewEncoder(w) + enc.SetIndent("", " ") + return enc.Encode(report) +} + +func (r *jsonRenderer) RenderComplianceReport(w io.Writer, report *ComplianceReport) error { + enc := json.NewEncoder(w) + enc.SetIndent("", " ") + return enc.Encode(report) +} + +// yamlRenderer renders reports as YAML. +type yamlRenderer struct{} + +func (r *yamlRenderer) RenderSecurityReport(w io.Writer, report *Report) error { + enc := yaml.NewEncoder(w) + defer enc.Close() + return enc.Encode(report) +} + +func (r *yamlRenderer) RenderComplianceReport(w io.Writer, report *ComplianceReport) error { + enc := yaml.NewEncoder(w) + defer enc.Close() + return enc.Encode(report) +} + +// csvRenderer renders findings as flat CSV rows. +type csvRenderer struct{} + +func (r *csvRenderer) RenderSecurityReport(w io.Writer, report *Report) error { + cw := csv.NewWriter(w) + + // Header row. + if err := cw.Write([]string{ + "id", "title", "severity", "source", "resource_arn", "resource_type", + "stack", "component", "mapped", "confidence", + "root_cause", "deploy_command", "risk_level", + }); err != nil { + return err + } + + for i := range report.Findings { + f := &report.Findings[i] + stack, component, mapped, confidence := "", "", "false", "" + if f.Mapping != nil { + stack = f.Mapping.Stack + component = f.Mapping.Component + if f.Mapping.Mapped { + mapped = "true" + } + confidence = string(f.Mapping.Confidence) + } + rootCause, deployCmd, riskLevel := "", "", "" + if f.Remediation != nil { + rootCause = f.Remediation.RootCause + deployCmd = f.Remediation.DeployCommand + riskLevel = f.Remediation.RiskLevel + } + if err := cw.Write([]string{ + f.ID, f.Title, string(f.Severity), string(f.Source), + f.ResourceARN, f.ResourceType, + stack, component, mapped, confidence, + rootCause, deployCmd, riskLevel, + }); err != nil { + return err + } + } + cw.Flush() + return cw.Error() +} + +func (r *csvRenderer) RenderComplianceReport(w io.Writer, report *ComplianceReport) error { + cw := csv.NewWriter(w) + + if err := cw.Write([]string{ + "control_id", "title", "severity", "component", "stack", "has_remediation", + }); err != nil { + return err + } + + for _, ctrl := range report.FailingDetails { + hasRemediation := "false" + if ctrl.Remediation != nil { + hasRemediation = "true" + } + if err := cw.Write([]string{ + ctrl.ControlID, ctrl.Title, string(ctrl.Severity), + ctrl.Component, ctrl.Stack, hasRemediation, + }); err != nil { + return err + } + } + cw.Flush() + return cw.Error() +} + +// Helper functions. + +func reportTarget(stack, component string) string { + if stack != "" && component != "" { + return fmt.Sprintf("%s / %s", stack, component) + } + if component != "" { + return fmt.Sprintf("All Stacks / %s", component) + } + if stack != "" { + return stack + } + return "All Stacks" +} + +func severityCountsString(counts map[Severity]int) string { + var parts []string + for _, sev := range []Severity{SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow, SeverityInformational} { + if c, ok := counts[sev]; ok && c > 0 { + parts = append(parts, fmt.Sprintf("%d %s", c, sev)) + } + } + return strings.Join(parts, ", ") +} + +func filterBySeverity(findings []Finding, severity Severity) []Finding { + var result []Finding + for i := range findings { + if findings[i].Severity == severity { + result = append(result, findings[i]) + } + } + return result +} + +func countMappedBySeverity(findings []Finding, severity Severity) (mapped, unmapped int) { + for i := range findings { + f := &findings[i] + if f.Severity != severity { + continue + } + if f.Mapping != nil && f.Mapping.Mapped { + mapped++ + } else { + unmapped++ + } + } + return mapped, unmapped +} + +func renderFindingMarkdown(sb *strings.Builder, f *Finding, num int) { + fmt.Fprintf(sb, "### %d. %s\n\n", num, f.Title) + sb.WriteString("| Field | Value |\n") + sb.WriteString("|-------|-------|\n") + fmt.Fprintf(sb, "| **Severity** | %s |\n", f.Severity) + fmt.Fprintf(sb, "| **Source** | %s", f.Source) + if f.ComplianceStandard != "" { + fmt.Fprintf(sb, " (%s)", f.ComplianceStandard) + } + sb.WriteString(" |\n") + fmt.Fprintf(sb, "| **Resource** | `%s` |\n", f.ResourceARN) + if f.AccountID != "" { + fmt.Fprintf(sb, "| **Account** | %s |\n", f.AccountID) + } + + if f.Mapping != nil && f.Mapping.Mapped { + fmt.Fprintf(sb, "| **Component** | %s |\n", f.Mapping.Component) + fmt.Fprintf(sb, "| **Stack** | %s |\n", f.Mapping.Stack) + if f.Mapping.ComponentPath != "" { + fmt.Fprintf(sb, "| **Path** | `%s` |\n", f.Mapping.ComponentPath) + } + fmt.Fprintf(sb, "| **Confidence** | %s |\n", f.Mapping.Confidence) + if f.Mapping.Method != "" { + fmt.Fprintf(sb, "| **Mapped By** | %s |\n", f.Mapping.Method) + } + } else { + sb.WriteString("| **Component** | *unmapped* |\n") + } + + // Show resource tags if available (helps users identify the resource). + if len(f.ResourceTags) > 0 { + renderResourceTags(sb, f.ResourceTags) + } + + sb.WriteString("\n") + + if f.Description != "" { + fmt.Fprintf(sb, "#### Finding Details\n\n%s\n\n", f.Description) + } + + if f.Remediation != nil { + renderRemediationMarkdown(sb, f.Remediation) + } + + sb.WriteString("---\n\n") +} + +// mdNewline is the newline string used in Markdown rendering. +const mdNewline = "\n" + +// renderFindingsBySeverity groups findings by severity. +// When groupDuplicates is true, findings with the same title are collapsed. +func renderFindingsBySeverity(sb *strings.Builder, allFindings []Finding, groupDuplicates bool) { + for _, sev := range []Severity{SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow, SeverityInformational} { + findings := filterBySeverity(allFindings, sev) + if len(findings) == 0 { + continue + } + fmt.Fprintf(sb, "## %s Findings (%d)\n\n", sev, len(findings)) + + if !groupDuplicates { + for i := range findings { + renderFindingMarkdown(sb, &findings[i], i+1) + } + continue + } + + groups := groupByTitle(findings) + for i, group := range groups { + if len(group) == 1 { + renderFindingMarkdown(sb, &group[0], i+1) + } else { + renderGroupedFindingMarkdown(sb, group, i+1) + } + } + } +} + +// groupByTitle groups findings by title, preserving order of first occurrence. +func groupByTitle(findings []Finding) [][]Finding { + seen := make(map[string]int) // title → index in result. + var groups [][]Finding + for i := range findings { + title := findings[i].Title + if idx, ok := seen[title]; ok { + groups[idx] = append(groups[idx], findings[i]) + } else { + seen[title] = len(groups) + groups = append(groups, []Finding{findings[i]}) + } + } + return groups +} + +// renderGroupedFindingMarkdown renders a group of findings with the same title. +func renderGroupedFindingMarkdown(sb *strings.Builder, findings []Finding, num int) { + f := &findings[0] + fmt.Fprintf(sb, "### %d. %s (%d occurrences)\n\n", num, f.Title, len(findings)) + + if f.Description != "" { + fmt.Fprintf(sb, "%s\n\n", f.Description) + } + + // Show affected resources as a table. + sb.WriteString("| Resource | Account | Component | Stack | Mapped By | Confidence |\n") + sb.WriteString("|----------|---------|-----------|-------|-----------|------------|\n") + for i := range findings { + resource := truncateMiddle(findings[i].ResourceARN) + account := findings[i].AccountID + component, stack, method, confidence := "*unmapped*", "", "", "" + if findings[i].Mapping != nil && findings[i].Mapping.Mapped { + component = findings[i].Mapping.Component + stack = findings[i].Mapping.Stack + method = findings[i].Mapping.Method + confidence = string(findings[i].Mapping.Confidence) + } + fmt.Fprintf(sb, "| `%s` | %s | %s | %s | %s | %s |\n", resource, account, component, stack, method, confidence) + } + sb.WriteString(mdNewline) + + // Show resource tags for each finding that has them. + renderGroupedTags(sb, findings) + + // Render remediation from the first finding that has one (shared across the group). + for i := range findings { + if findings[i].Remediation != nil { + renderRemediationMarkdown(sb, findings[i].Remediation) + break + } + } + + sb.WriteString("---\n\n") +} + +// renderGroupedTags shows resource tags for findings in a group that have them. +func renderGroupedTags(sb *strings.Builder, findings []Finding) { + var tagged int + for i := range findings { + if len(findings[i].ResourceTags) > 0 { + tagged++ + } + } + if tagged == 0 { + return + } + + sb.WriteString("\n
\nResource Tags (" + fmt.Sprintf("%d", tagged) + " resources with tags)\n\n") + for i := range findings { + if len(findings[i].ResourceTags) == 0 { + continue + } + name := findings[i].ResourceARN + if n, ok := findings[i].ResourceTags["Name"]; ok { + name = n + } + fmt.Fprintf(sb, "**%s:**\n", truncateMiddle(name)) + for k, v := range findings[i].ResourceTags { + fmt.Fprintf(sb, "- `%s` = `%s`\n", k, v) + } + sb.WriteString(mdNewline) + } + sb.WriteString("
\n\n") +} + +// maxARNDisplayLen is the max length for ARN display in grouped tables. +const maxARNDisplayLen = 80 + +// truncateMiddle truncates a string in the middle if it exceeds maxARNDisplayLen. +func truncateMiddle(s string) string { + if len(s) <= maxARNDisplayLen { + return s + } + half := (maxARNDisplayLen - 3) / 2 + return s[:half] + "..." + s[len(s)-half:] +} + +// renderResourceTags renders resource tags as a compact key=value list. +func renderResourceTags(sb *strings.Builder, tags map[string]string) { + if len(tags) == 0 { + return + } + sb.WriteString("\n**Resource Tags:**\n\n") + for k, v := range tags { + fmt.Fprintf(sb, "- `%s` = `%s`\n", k, v) + } +} + +// renderRemediationMarkdown renders the full Remediation struct as Markdown subsections. +func renderRemediationMarkdown(sb *strings.Builder, r *Remediation) { + sb.WriteString("#### Remediation\n\n") + + if r.RootCause != "" { + fmt.Fprintf(sb, "**Root Cause:** %s\n\n", r.RootCause) + } + + renderSteps(sb, r.Steps) + renderCodeChanges(sb, r.CodeChanges) + + if r.StackChanges != "" { + fmt.Fprintf(sb, "**Stack Changes:**\n\n%s\n\n", r.StackChanges) + } + if r.DeployCommand != "" { + fmt.Fprintf(sb, "**Deploy:** `%s`\n\n", r.DeployCommand) + } + if r.RiskLevel != "" { + fmt.Fprintf(sb, "**Risk:** %s\n\n", r.RiskLevel) + } + + renderReferences(sb, r.References) + + // Fall back to description if no structured fields are populated. + if r.RootCause == "" && len(r.Steps) == 0 && r.DeployCommand == "" { + fmt.Fprintf(sb, "%s\n\n", r.Description) + } +} + +// renderSteps renders an ordered list of remediation steps. +func renderSteps(sb *strings.Builder, steps []string) { + if len(steps) == 0 { + return + } + sb.WriteString("**Steps:**\n\n") + for i, step := range steps { + fmt.Fprintf(sb, "%d. %s%s", i+1, step, mdNewline) + } + sb.WriteString(mdNewline) +} + +// renderCodeChanges renders code change diffs. +func renderCodeChanges(sb *strings.Builder, changes []CodeChange) { + if len(changes) == 0 { + return + } + sb.WriteString("**Code Changes:**\n\n") + for _, change := range changes { + fmt.Fprintf(sb, "File: `%s`", change.FilePath) + if change.Line > 0 { + fmt.Fprintf(sb, " (line %d)", change.Line) + } + sb.WriteString(mdNewline) + if change.Before != "" { + fmt.Fprintf(sb, "```diff\n- %s\n+ %s\n```\n\n", change.Before, change.After) + } + } +} + +// renderReferences renders a bulleted list of references. +func renderReferences(sb *strings.Builder, refs []string) { + if len(refs) == 0 { + return + } + sb.WriteString("**References:**\n\n") + for _, ref := range refs { + fmt.Fprintf(sb, "- %s%s", ref, mdNewline) + } + sb.WriteString(mdNewline) +} diff --git a/pkg/aws/security/report_renderer_test.go b/pkg/aws/security/report_renderer_test.go new file mode 100644 index 0000000000..f396863e03 --- /dev/null +++ b/pkg/aws/security/report_renderer_test.go @@ -0,0 +1,1101 @@ +package security + +import ( + "bytes" + "encoding/csv" + "encoding/json" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gopkg.in/yaml.v3" +) + +// fixedTime is a stable timestamp used across all test reports. +var fixedTime = time.Date(2026, 3, 9, 12, 0, 0, 0, time.UTC) + +// newTestSecurityReport builds a Report with representative findings for tests. +func newTestSecurityReport() *Report { + return &Report{ + GeneratedAt: fixedTime, + Stack: "tenant1-ue1-prod", + Component: "vpc", + TotalFindings: 3, + SeverityCounts: map[Severity]int{ + SeverityCritical: 1, + SeverityHigh: 1, + SeverityLow: 1, + }, + MappedCount: 2, + UnmappedCount: 1, + Findings: []Finding{ + { + ID: "finding-1", + Title: "Critical S3 bucket public access", + Description: "S3 bucket allows public read access.", + Severity: SeverityCritical, + Source: SourceSecurityHub, + ComplianceStandard: "CIS-1.4", + ResourceARN: "arn:aws:s3:::my-bucket", + ResourceType: "AwsS3Bucket", + Mapping: &ComponentMapping{ + Stack: "tenant1-ue1-prod", + Component: "s3-bucket", + ComponentPath: "components/terraform/s3-bucket", + Mapped: true, + Confidence: ConfidenceExact, + Method: "tag", + }, + Remediation: &Remediation{ + Description: "Enable block public access on the S3 bucket.", + RootCause: "Public access block not configured.", + DeployCommand: "atmos terraform apply s3-bucket -s tenant1-ue1-prod", + }, + }, + { + ID: "finding-2", + Title: "Security group allows ingress from 0.0.0.0/0", + Description: "Unrestricted ingress detected.", + Severity: SeverityHigh, + Source: SourceConfig, + ResourceARN: "arn:aws:ec2:us-east-1:123456789012:security-group/sg-123", + ResourceType: "AwsEc2SecurityGroup", + Mapping: &ComponentMapping{ + Stack: "tenant1-ue1-prod", + Component: "vpc", + Mapped: true, + Confidence: ConfidenceHigh, + Method: "state", + }, + }, + { + ID: "finding-3", + Title: "Low severity info leak", + Severity: SeverityLow, + Source: SourceInspector, + ResourceARN: "arn:aws:lambda:us-east-1:123456789012:function:orphan", + ResourceType: "AwsLambdaFunction", + Mapping: nil, + }, + }, + } +} + +// newTestComplianceReport builds a ComplianceReport for tests. +func newTestComplianceReport() *ComplianceReport { + return &ComplianceReport{ + GeneratedAt: fixedTime, + Stack: "tenant1-ue1-prod", + Framework: "cis-1.4", + FrameworkTitle: "CIS AWS Foundations Benchmark v1.4", + TotalControls: 50, + PassingControls: 45, + FailingControls: 5, + ScorePercent: 90.0, + FailingDetails: []ComplianceControl{ + { + ControlID: "CIS.1.14", + Title: "Ensure MFA is enabled for root", + Severity: SeverityCritical, + Component: "account-settings", + Stack: "tenant1-ue1-prod", + Remediation: &Remediation{ + Description: "Enable MFA on root account.", + }, + }, + { + ControlID: "CIS.2.1", + Title: "Ensure CloudTrail is enabled", + Severity: SeverityHigh, + Component: "cloudtrail", + Stack: "tenant1-ue1-prod", + Remediation: nil, + }, + }, + } +} + +func TestRenderSecurityReport_Markdown(t *testing.T) { + report := newTestSecurityReport() + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + // Verify header and metadata. + assert.Contains(t, output, "# Security Report: tenant1-ue1-prod / vpc") + assert.Contains(t, output, "**Generated:** 2026-03-09T12:00:00Z") + assert.Contains(t, output, "**Stack:** tenant1-ue1-prod") + assert.Contains(t, output, "**Findings:** 3") + + // Verify severity sections. + assert.Contains(t, output, "## CRITICAL Findings (1)") + assert.Contains(t, output, "## HIGH Findings (1)") + assert.Contains(t, output, "## LOW Findings (1)") + // Medium and informational should not appear. + assert.NotContains(t, output, "## MEDIUM Findings") + assert.NotContains(t, output, "## INFORMATIONAL Findings") + + // Verify finding details. + assert.Contains(t, output, "### 1. Critical S3 bucket public access") + assert.Contains(t, output, "| **Severity** | CRITICAL |") + assert.Contains(t, output, "| **Source** | security-hub (CIS-1.4) |") + assert.Contains(t, output, "| **Resource** | `arn:aws:s3:::my-bucket` |") + assert.Contains(t, output, "| **Component** | s3-bucket |") + assert.Contains(t, output, "| **Path** | `components/terraform/s3-bucket` |") + assert.Contains(t, output, "| **Confidence** | exact |") + + // Verify remediation section with structured fields. + assert.Contains(t, output, "#### Remediation") + assert.Contains(t, output, "**Root Cause:** Public access block not configured.") + assert.Contains(t, output, "**Deploy:** `atmos terraform apply s3-bucket -s tenant1-ue1-prod`") + + // Verify finding description section. + assert.Contains(t, output, "#### Finding Details") + assert.Contains(t, output, "S3 bucket allows public read access.") + + // Verify unmapped finding renders correctly. + assert.Contains(t, output, "| **Component** | *unmapped* |") + + // Verify summary table. + assert.Contains(t, output, "## Summary") + assert.Contains(t, output, "| Severity | Count | Mapped | Unmapped |") + assert.Contains(t, output, "| CRITICAL | 1 | 1 | 0 |") + assert.Contains(t, output, "| HIGH | 1 | 1 | 0 |") + assert.Contains(t, output, "| LOW | 1 | 0 | 1 |") + assert.Contains(t, output, "| **Total** | **3** | **2** | **1** |") + + // Verify unmapped note. + assert.Contains(t, output, "1 findings could not be mapped to Atmos components") +} + +func TestRenderSecurityReport_JSON(t *testing.T) { + report := newTestSecurityReport() + renderer := NewReportRenderer(FormatJSON) + var buf bytes.Buffer + + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + // Verify it produces valid JSON. + var decoded Report + err = json.Unmarshal(buf.Bytes(), &decoded) + require.NoError(t, err) + + // Spot-check fields round-trip correctly. + assert.Equal(t, report.Stack, decoded.Stack) + assert.Equal(t, report.Component, decoded.Component) + assert.Equal(t, report.TotalFindings, decoded.TotalFindings) + assert.Equal(t, report.MappedCount, decoded.MappedCount) + assert.Equal(t, report.UnmappedCount, decoded.UnmappedCount) + assert.Len(t, decoded.Findings, 3) + assert.Equal(t, SeverityCritical, decoded.Findings[0].Severity) + assert.Equal(t, "s3-bucket", decoded.Findings[0].Mapping.Component) + assert.Nil(t, decoded.Findings[2].Mapping) +} + +func TestRenderSecurityReport_YAML(t *testing.T) { + report := newTestSecurityReport() + renderer := NewReportRenderer(FormatYAML) + var buf bytes.Buffer + + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + // Verify it produces valid YAML. + var decoded Report + err = yaml.Unmarshal(buf.Bytes(), &decoded) + require.NoError(t, err) + + assert.Equal(t, report.Stack, decoded.Stack) + assert.Equal(t, report.TotalFindings, decoded.TotalFindings) + assert.Len(t, decoded.Findings, 3) + assert.Equal(t, ConfidenceExact, decoded.Findings[0].Mapping.Confidence) +} + +func TestRenderSecurityReport_CSV(t *testing.T) { + report := newTestSecurityReport() + renderer := NewReportRenderer(FormatCSV) + var buf bytes.Buffer + + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + // Parse the CSV output. + reader := csv.NewReader(strings.NewReader(buf.String())) + records, err := reader.ReadAll() + require.NoError(t, err) + + // Header + 3 data rows. + require.Len(t, records, 4) + + // Verify header row. + expectedHeaders := []string{ + "id", "title", "severity", "source", "resource_arn", "resource_type", + "stack", "component", "mapped", "confidence", + "root_cause", "deploy_command", "risk_level", + } + assert.Equal(t, expectedHeaders, records[0]) + + // Verify mapped finding row. + assert.Equal(t, "finding-1", records[1][0]) + assert.Equal(t, "CRITICAL", records[1][2]) + assert.Equal(t, "tenant1-ue1-prod", records[1][6]) + assert.Equal(t, "s3-bucket", records[1][7]) + assert.Equal(t, "true", records[1][8]) + assert.Equal(t, "exact", records[1][9]) + + // Verify unmapped finding row (nil Mapping). + assert.Equal(t, "finding-3", records[3][0]) + assert.Equal(t, "", records[3][6]) // stack empty. + assert.Equal(t, "", records[3][7]) // component empty. + assert.Equal(t, "false", records[3][8]) + assert.Equal(t, "", records[3][9]) // confidence empty. + assert.Equal(t, "", records[3][10]) // root_cause empty. + assert.Equal(t, "", records[3][11]) // deploy_command empty. + assert.Equal(t, "", records[3][12]) // risk_level empty. +} + +func TestRenderComplianceReport_Markdown(t *testing.T) { + report := newTestComplianceReport() + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + // Verify header and metadata. + assert.Contains(t, output, "# Compliance Report: CIS AWS Foundations Benchmark v1.4") + assert.Contains(t, output, "**Date:** 2026-03-09T12:00:00Z") + assert.Contains(t, output, "**Stack:** tenant1-ue1-prod") + assert.Contains(t, output, "**Framework:** CIS AWS Foundations Benchmark v1.4") + + // Verify score line. + assert.Contains(t, output, "## Score: 45/50 Controls Passing (90%)") + + // Verify failing controls table. + assert.Contains(t, output, "### Failing Controls") + assert.Contains(t, output, "| Control | Title | Severity |") + assert.Contains(t, output, "| CIS.1.14 | Ensure MFA is enabled for root | CRITICAL |") + assert.Contains(t, output, "| CIS.2.1 | Ensure CloudTrail is enabled | HIGH |") +} + +func TestRenderComplianceReport_JSON(t *testing.T) { + report := newTestComplianceReport() + renderer := NewReportRenderer(FormatJSON) + var buf bytes.Buffer + + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + var decoded ComplianceReport + err = json.Unmarshal(buf.Bytes(), &decoded) + require.NoError(t, err) + + assert.Equal(t, report.Framework, decoded.Framework) + assert.Equal(t, report.FrameworkTitle, decoded.FrameworkTitle) + assert.Equal(t, report.TotalControls, decoded.TotalControls) + assert.Equal(t, report.PassingControls, decoded.PassingControls) + assert.Equal(t, report.FailingControls, decoded.FailingControls) + assert.InDelta(t, report.ScorePercent, decoded.ScorePercent, 0.01) + assert.Len(t, decoded.FailingDetails, 2) + assert.NotNil(t, decoded.FailingDetails[0].Remediation) + assert.Nil(t, decoded.FailingDetails[1].Remediation) +} + +func TestRenderComplianceReport_YAML(t *testing.T) { + report := newTestComplianceReport() + renderer := NewReportRenderer(FormatYAML) + var buf bytes.Buffer + + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + var decoded ComplianceReport + err = yaml.Unmarshal(buf.Bytes(), &decoded) + require.NoError(t, err) + + assert.Equal(t, report.Framework, decoded.Framework) + assert.Equal(t, report.TotalControls, decoded.TotalControls) + assert.Len(t, decoded.FailingDetails, 2) +} + +func TestRenderComplianceReport_CSV(t *testing.T) { + report := newTestComplianceReport() + renderer := NewReportRenderer(FormatCSV) + var buf bytes.Buffer + + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + reader := csv.NewReader(strings.NewReader(buf.String())) + records, err := reader.ReadAll() + require.NoError(t, err) + + // Header + 2 failing controls. + require.Len(t, records, 3) + + expectedHeaders := []string{ + "control_id", "title", "severity", "component", "stack", "has_remediation", + } + assert.Equal(t, expectedHeaders, records[0]) + + // Control with remediation. + assert.Equal(t, "CIS.1.14", records[1][0]) + assert.Equal(t, "true", records[1][5]) + + // Control without remediation. + assert.Equal(t, "CIS.2.1", records[2][0]) + assert.Equal(t, "false", records[2][5]) +} + +func TestRenderSecurityReport_EmptyFindings(t *testing.T) { + report := &Report{ + GeneratedAt: fixedTime, + Stack: "tenant1-ue1-dev", + TotalFindings: 0, + SeverityCounts: map[Severity]int{}, + Findings: []Finding{}, + MappedCount: 0, + UnmappedCount: 0, + } + + formats := []struct { + name string + format OutputFormat + }{ + {name: "markdown", format: FormatMarkdown}, + {name: "json", format: FormatJSON}, + {name: "yaml", format: FormatYAML}, + {name: "csv", format: FormatCSV}, + } + + for _, tc := range formats { + t.Run(tc.name, func(t *testing.T) { + renderer := NewReportRenderer(tc.format) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + assert.NotEmpty(t, buf.String()) + }) + } + + // Verify markdown specifics for empty report. + t.Run("markdown_no_severity_sections", func(t *testing.T) { + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + assert.Contains(t, output, "**Findings:** 0") + assert.NotContains(t, output, "## CRITICAL Findings") + assert.NotContains(t, output, "## HIGH Findings") + // Summary total row should show zeros. + assert.Contains(t, output, "| **Total** | **0** | **0** | **0** |") + // No unmapped note when unmapped count is zero. + assert.NotContains(t, output, "findings could not be mapped") + }) +} + +func TestRenderSecurityReport_FindingsWithNilMapping(t *testing.T) { + report := &Report{ + GeneratedAt: fixedTime, + Stack: "tenant1-ue1-staging", + TotalFindings: 2, + SeverityCounts: map[Severity]int{ + SeverityMedium: 2, + }, + MappedCount: 0, + UnmappedCount: 2, + Findings: []Finding{ + { + ID: "unmapped-1", + Title: "Unmapped finding one", + Severity: SeverityMedium, + Source: SourceGuardDuty, + ResourceARN: "arn:aws:ec2:us-west-2:111111111111:instance/i-abc", + ResourceType: "AwsEc2Instance", + Mapping: nil, + }, + { + ID: "unmapped-2", + Title: "Unmapped finding two", + Severity: SeverityMedium, + Source: SourceMacie, + ResourceARN: "arn:aws:s3:::another-bucket", + ResourceType: "AwsS3Bucket", + Mapping: nil, + Remediation: nil, + }, + }, + } + + t.Run("markdown_shows_unmapped", func(t *testing.T) { + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + // Both findings should show unmapped. + assert.Equal(t, 2, strings.Count(output, "| **Component** | *unmapped* |")) + // Unmapped note should appear. + assert.Contains(t, output, "2 findings could not be mapped to Atmos components") + }) + + t.Run("csv_shows_unmapped_fields", func(t *testing.T) { + renderer := NewReportRenderer(FormatCSV) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + reader := csv.NewReader(strings.NewReader(buf.String())) + records, err := reader.ReadAll() + require.NoError(t, err) + require.Len(t, records, 3) // header + 2 rows. + + // Both rows should have empty stack/component and mapped=false. + for _, row := range records[1:] { + assert.Equal(t, "", row[6]) // stack. + assert.Equal(t, "", row[7]) // component. + assert.Equal(t, "false", row[8]) // mapped. + assert.Equal(t, "", row[9]) // confidence. + } + }) + + t.Run("json_nil_mapping_omitted", func(t *testing.T) { + renderer := NewReportRenderer(FormatJSON) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + var decoded Report + err = json.Unmarshal(buf.Bytes(), &decoded) + require.NoError(t, err) + for _, f := range decoded.Findings { + assert.Nil(t, f.Mapping) + } + }) +} + +func TestRenderComplianceReport_EmptyFailingDetails(t *testing.T) { + report := &ComplianceReport{ + GeneratedAt: fixedTime, + Stack: "tenant1-ue1-prod", + Framework: "cis-1.4", + FrameworkTitle: "CIS AWS Foundations Benchmark v1.4", + TotalControls: 50, + PassingControls: 50, + FailingControls: 0, + ScorePercent: 100.0, + FailingDetails: []ComplianceControl{}, + } + + t.Run("markdown_no_failing_table", func(t *testing.T) { + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + assert.Contains(t, output, "## Score: 50/50 Controls Passing (100%)") + assert.NotContains(t, output, "### Failing Controls") + }) + + t.Run("json_round_trip", func(t *testing.T) { + renderer := NewReportRenderer(FormatJSON) + var buf bytes.Buffer + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + var decoded ComplianceReport + err = json.Unmarshal(buf.Bytes(), &decoded) + require.NoError(t, err) + assert.Equal(t, 0, decoded.FailingControls) + assert.Empty(t, decoded.FailingDetails) + }) +} + +func TestNewReportRenderer_DefaultsToMarkdown(t *testing.T) { + // An unknown format should fall back to markdown. + renderer := NewReportRenderer(OutputFormat("unknown")) + var buf bytes.Buffer + + report := &Report{ + GeneratedAt: fixedTime, + TotalFindings: 0, + SeverityCounts: map[Severity]int{}, + Findings: []Finding{}, + } + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + assert.Contains(t, buf.String(), "# Security Report:") +} + +func TestReportTarget(t *testing.T) { + tests := []struct { + name string + stack string + component string + expected string + }{ + {name: "both_set", stack: "prod", component: "vpc", expected: "prod / vpc"}, + {name: "stack_only", stack: "prod", component: "", expected: "prod"}, + {name: "component_only", stack: "", component: "vpc", expected: "All Stacks / vpc"}, + {name: "neither_set", stack: "", component: "", expected: "All Stacks"}, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + assert.Equal(t, tc.expected, reportTarget(tc.stack, tc.component)) + }) + } +} + +func TestSeverityCountsString(t *testing.T) { + counts := map[Severity]int{ + SeverityCritical: 2, + SeverityHigh: 3, + SeverityLow: 1, + } + result := severityCountsString(counts) + assert.Contains(t, result, "2 CRITICAL") + assert.Contains(t, result, "3 HIGH") + assert.Contains(t, result, "1 LOW") + // Medium not in the map, should not appear. + assert.NotContains(t, result, "MEDIUM") +} + +func TestFilterBySeverity(t *testing.T) { + findings := []Finding{ + {ID: "1", Severity: SeverityCritical}, + {ID: "2", Severity: SeverityHigh}, + {ID: "3", Severity: SeverityCritical}, + {ID: "4", Severity: SeverityLow}, + } + + critical := filterBySeverity(findings, SeverityCritical) + assert.Len(t, critical, 2) + assert.Equal(t, "1", critical[0].ID) + assert.Equal(t, "3", critical[1].ID) + + medium := filterBySeverity(findings, SeverityMedium) + assert.Empty(t, medium) +} + +func TestCountMappedBySeverity(t *testing.T) { + findings := []Finding{ + {ID: "1", Severity: SeverityHigh, Mapping: &ComponentMapping{Mapped: true}}, + {ID: "2", Severity: SeverityHigh, Mapping: nil}, + {ID: "3", Severity: SeverityHigh, Mapping: &ComponentMapping{Mapped: false}}, + {ID: "4", Severity: SeverityLow, Mapping: &ComponentMapping{Mapped: true}}, + } + + mapped, unmapped := countMappedBySeverity(findings, SeverityHigh) + assert.Equal(t, 1, mapped) + assert.Equal(t, 2, unmapped) + + mapped, unmapped = countMappedBySeverity(findings, SeverityLow) + assert.Equal(t, 1, mapped) + assert.Equal(t, 0, unmapped) + + mapped, unmapped = countMappedBySeverity(findings, SeverityCritical) + assert.Equal(t, 0, mapped) + assert.Equal(t, 0, unmapped) +} + +func TestRenderRemediationMarkdown_AllFields(t *testing.T) { + report := &Report{ + GeneratedAt: time.Date(2026, 4, 2, 12, 0, 0, 0, time.UTC), + Stack: "prod-us-east-1", + TotalFindings: 1, + SeverityCounts: map[Severity]int{SeverityHigh: 1}, + MappedCount: 1, + Findings: []Finding{ + { + ID: "full-001", + Title: "EBS volume not encrypted", + Severity: SeverityHigh, + Source: SourceSecurityHub, + ResourceARN: "arn:aws:ec2:us-east-1:123:volume/vol-abc", + Mapping: &ComponentMapping{ + Component: "ebs", + Stack: "prod-us-east-1", + Mapped: true, + }, + Remediation: &Remediation{ + RootCause: "Encryption not enabled on the EBS volume.", + Steps: []string{"Add encryption variable to stack config", "Apply the change"}, + CodeChanges: []CodeChange{{FilePath: "main.tf", Before: "encrypted = false", After: "encrypted = true"}}, + StackChanges: "vars:\n encryption_enabled: true", + DeployCommand: "atmos terraform apply ebs -s prod-us-east-1", + RiskLevel: "low", + References: []string{"https://docs.aws.amazon.com/ebs", "CIS 2.2.1"}, + }, + }, + }, + } + + var buf strings.Builder + renderer := NewReportRenderer(FormatMarkdown) + require.NoError(t, renderer.RenderSecurityReport(&buf, report)) + output := buf.String() + + // Root cause. + assert.Contains(t, output, "**Root Cause:** Encryption not enabled") + + // Steps. + assert.Contains(t, output, "**Steps:**") + assert.Contains(t, output, "1. Add encryption variable to stack config") + assert.Contains(t, output, "2. Apply the change") + + // Code changes. + assert.Contains(t, output, "**Code Changes:**") + assert.Contains(t, output, "File: `main.tf`") + assert.Contains(t, output, "- encrypted = false") + assert.Contains(t, output, "+ encrypted = true") + + // Stack changes. + assert.Contains(t, output, "**Stack Changes:**") + assert.Contains(t, output, "encryption_enabled: true") + + // Deploy. + assert.Contains(t, output, "**Deploy:** `atmos terraform apply ebs -s prod-us-east-1`") + + // Risk. + assert.Contains(t, output, "**Risk:** low") + + // References. + assert.Contains(t, output, "**References:**") + assert.Contains(t, output, "- https://docs.aws.amazon.com/ebs") + assert.Contains(t, output, "- CIS 2.2.1") +} + +func TestRenderRemediationMarkdown_DescriptionFallback(t *testing.T) { + // When no structured fields are populated, falls back to Description. + report := &Report{ + GeneratedAt: time.Date(2026, 4, 2, 12, 0, 0, 0, time.UTC), + TotalFindings: 1, + SeverityCounts: map[Severity]int{SeverityLow: 1}, + Findings: []Finding{ + { + ID: "fallback-001", + Title: "Minor issue", + Severity: SeverityLow, + Source: SourceConfig, + Remediation: &Remediation{ + Description: "This is a plain text description from the AI.", + }, + }, + }, + } + + var buf strings.Builder + renderer := NewReportRenderer(FormatMarkdown) + require.NoError(t, renderer.RenderSecurityReport(&buf, report)) + output := buf.String() + + assert.Contains(t, output, "This is a plain text description from the AI.") +} + +func TestRenderCSV_WithRemediation(t *testing.T) { + report := &Report{ + TotalFindings: 1, + Findings: []Finding{ + { + ID: "csv-001", + Title: "Test", + Severity: SeverityHigh, + Source: SourceSecurityHub, + Mapping: &ComponentMapping{ + Stack: "prod", + Component: "vpc", + Mapped: true, + }, + Remediation: &Remediation{ + RootCause: "Missing encryption", + DeployCommand: "atmos terraform apply vpc -s prod", + RiskLevel: "medium", + }, + }, + }, + } + + var buf strings.Builder + renderer := NewReportRenderer(FormatCSV) + require.NoError(t, renderer.RenderSecurityReport(&buf, report)) + + r := csv.NewReader(strings.NewReader(buf.String())) + records, err := r.ReadAll() + require.NoError(t, err) + require.Len(t, records, 2) // header + 1 row. + + // Verify new CSV columns. + assert.Equal(t, "root_cause", records[0][10]) + assert.Equal(t, "deploy_command", records[0][11]) + assert.Equal(t, "risk_level", records[0][12]) + + // Verify data. + assert.Equal(t, "Missing encryption", records[1][10]) + assert.Equal(t, "atmos terraform apply vpc -s prod", records[1][11]) + assert.Equal(t, "medium", records[1][12]) +} + +func TestReportTarget_ComponentOnly(t *testing.T) { + // When only component is set (no stack), should show "All Stacks / component". + result := reportTarget("", "vpc") + assert.Equal(t, "All Stacks / vpc", result) +} + +func TestRenderGroupedFindingMarkdown_WithRemediation(t *testing.T) { + // Verify grouped finding rendering includes remediation from the first finding that has one. + findings := []Finding{ + { + ID: "g1", + Title: "S3 bucket public access", + Description: "Multiple S3 buckets have public access.", + Severity: SeverityCritical, + Source: SourceSecurityHub, + ResourceARN: "arn:aws:s3:::bucket-one", + AccountID: "111111111111", + Mapping: &ComponentMapping{ + Stack: "prod-ue1", + Component: "s3-bucket", + Mapped: true, + Confidence: ConfidenceExact, + Method: "tag", + }, + Remediation: nil, // First finding has no remediation. + }, + { + ID: "g2", + Title: "S3 bucket public access", + Severity: SeverityCritical, + Source: SourceSecurityHub, + ResourceARN: "arn:aws:s3:::bucket-two", + AccountID: "222222222222", + Mapping: nil, // Unmapped. + Remediation: &Remediation{ + RootCause: "Block public access not configured.", + DeployCommand: "atmos terraform apply s3-bucket -s prod-ue1", + RiskLevel: "low", + }, + }, + } + + report := &Report{ + GeneratedAt: fixedTime, + TotalFindings: 2, + SeverityCounts: map[Severity]int{ + SeverityCritical: 2, + }, + MappedCount: 1, + UnmappedCount: 1, + Findings: findings, + GroupFindings: true, + } + + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + // Verify grouped header with occurrence count. + assert.Contains(t, output, "(2 occurrences)") + + // Verify the resource table is present. + assert.Contains(t, output, "| Resource | Account | Component | Stack | Mapped By | Confidence |") + assert.Contains(t, output, "111111111111") + assert.Contains(t, output, "222222222222") + + // Verify the unmapped row shows *unmapped*. + assert.Contains(t, output, "*unmapped*") + + // Verify remediation from the second finding is rendered. + assert.Contains(t, output, "**Root Cause:** Block public access not configured.") + assert.Contains(t, output, "**Deploy:** `atmos terraform apply s3-bucket -s prod-ue1`") + assert.Contains(t, output, "**Risk:** low") +} + +func TestRenderGroupedFindingMarkdown_WithResourceTags(t *testing.T) { + // Verify grouped findings render resource tags in a collapsible section. + findings := []Finding{ + { + ID: "t1", + Title: "Security group issue", + Severity: SeverityHigh, + Source: SourceConfig, + ResourceARN: "arn:aws:ec2:us-east-1:123:security-group/sg-aaa", + AccountID: "123", + ResourceTags: map[string]string{ + "Name": "prod-vpc-sg", + "Environment": "production", + }, + }, + { + ID: "t2", + Title: "Security group issue", + Severity: SeverityHigh, + Source: SourceConfig, + ResourceARN: "arn:aws:ec2:us-east-1:456:security-group/sg-bbb", + AccountID: "456", + // No tags on this one. + }, + } + + report := &Report{ + GeneratedAt: fixedTime, + TotalFindings: 2, + SeverityCounts: map[Severity]int{SeverityHigh: 2}, + Findings: findings, + GroupFindings: true, + } + + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + // Should show the tags section with 1 resource having tags. + assert.Contains(t, output, "Resource Tags (1 resources with tags)") + assert.Contains(t, output, "`Environment` = `production`") + // The Name tag should be used as the label. + assert.Contains(t, output, "**prod-vpc-sg:**") +} + +func TestRenderSecurityReport_InformationalSeverityInSummary(t *testing.T) { + // Verify INFORMATIONAL severity appears in the summary table and counts string. + report := &Report{ + GeneratedAt: fixedTime, + TotalFindings: 2, + SeverityCounts: map[Severity]int{ + SeverityHigh: 1, + SeverityInformational: 1, + }, + MappedCount: 2, + UnmappedCount: 0, + Findings: []Finding{ + { + ID: "i1", + Title: "High severity finding", + Severity: SeverityHigh, + Source: SourceSecurityHub, + Mapping: &ComponentMapping{Mapped: true, Stack: "prod", Component: "vpc"}, + }, + { + ID: "i2", + Title: "Info finding", + Severity: SeverityInformational, + Source: SourceConfig, + Mapping: &ComponentMapping{Mapped: true, Stack: "prod", Component: "s3"}, + }, + }, + } + + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + // Verify INFORMATIONAL appears in findings header. + assert.Contains(t, output, "## INFORMATIONAL Findings (1)") + // Verify INFORMATIONAL row in summary table. + assert.Contains(t, output, "| INFORMATIONAL | 1 | 1 | 0 |") + // Verify severity counts string includes INFORMATIONAL. + assert.Contains(t, output, "1 INFORMATIONAL") +} + +func TestRenderSecurityReport_TagMappingHintInUnmappedNote(t *testing.T) { + // When TagMapping is set, the unmapped note should reference the specific tag keys. + report := &Report{ + GeneratedAt: fixedTime, + TotalFindings: 1, + SeverityCounts: map[Severity]int{ + SeverityMedium: 1, + }, + MappedCount: 0, + UnmappedCount: 1, + Findings: []Finding{ + { + ID: "u1", + Title: "Unmapped finding", + Severity: SeverityMedium, + Source: SourceGuardDuty, + Mapping: nil, + }, + }, + TagMapping: &AWSSecurityTagMapping{ + StackTag: "mycompany:stack", + ComponentTag: "mycompany:component", + }, + } + + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + // Verify the tag mapping hint uses the configured tag names. + assert.Contains(t, output, "`mycompany:stack` and `mycompany:component` tags") +} + +func TestRenderComplianceReport_CSV_EmptyFailingDetails(t *testing.T) { + // CSV compliance renderer with no failing controls should produce header only. + report := &ComplianceReport{ + GeneratedAt: fixedTime, + Framework: "cis-1.4", + FrameworkTitle: "CIS", + TotalControls: 10, + PassingControls: 10, + FailingControls: 0, + FailingDetails: []ComplianceControl{}, + } + + renderer := NewReportRenderer(FormatCSV) + var buf bytes.Buffer + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + reader := csv.NewReader(strings.NewReader(buf.String())) + records, err := reader.ReadAll() + require.NoError(t, err) + + // Should have header row only. + require.Len(t, records, 1) + assert.Equal(t, "control_id", records[0][0]) +} + +func TestRenderComplianceReport_MarkdownNoStack(t *testing.T) { + // When stack is empty, the **Stack:** line should not appear. + report := &ComplianceReport{ + GeneratedAt: fixedTime, + Framework: "pci-dss", + FrameworkTitle: "PCI DSS", + TotalControls: 20, + PassingControls: 20, + FailingControls: 0, + ScorePercent: 100.0, + FailingDetails: []ComplianceControl{}, + } + + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderComplianceReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + assert.NotContains(t, output, "**Stack:**") + assert.Contains(t, output, "**Framework:** PCI DSS") +} + +func TestSeverityCountsString_Empty(t *testing.T) { + // Empty counts should produce an empty string. + result := severityCountsString(map[Severity]int{}) + assert.Equal(t, "", result) +} + +func TestSeverityCountsString_AllSeverities(t *testing.T) { + // Verify ordering: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL. + counts := map[Severity]int{ + SeverityInformational: 5, + SeverityCritical: 1, + SeverityHigh: 2, + SeverityMedium: 3, + SeverityLow: 4, + } + result := severityCountsString(counts) + // Verify all are present. + assert.Contains(t, result, "1 CRITICAL") + assert.Contains(t, result, "2 HIGH") + assert.Contains(t, result, "3 MEDIUM") + assert.Contains(t, result, "4 LOW") + assert.Contains(t, result, "5 INFORMATIONAL") + + // Verify ordering by checking index positions. + critIdx := strings.Index(result, "CRITICAL") + highIdx := strings.Index(result, "HIGH") + medIdx := strings.Index(result, "MEDIUM") + lowIdx := strings.Index(result, "LOW") + infoIdx := strings.Index(result, "INFORMATIONAL") + assert.Less(t, critIdx, highIdx, "CRITICAL should come before HIGH") + assert.Less(t, highIdx, medIdx, "HIGH should come before MEDIUM") + assert.Less(t, medIdx, lowIdx, "MEDIUM should come before LOW") + assert.Less(t, lowIdx, infoIdx, "LOW should come before INFORMATIONAL") +} + +func TestRenderFindingMarkdown_WithResourceTags(t *testing.T) { + // Verify that resource tags are rendered when present on a single finding. + report := &Report{ + GeneratedAt: fixedTime, + TotalFindings: 1, + SeverityCounts: map[Severity]int{SeverityLow: 1}, + Findings: []Finding{ + { + ID: "tag-001", + Title: "Tagged finding", + Severity: SeverityLow, + Source: SourceConfig, + ResourceARN: "arn:aws:ec2:us-east-1:123:instance/i-tagged", + ResourceTags: map[string]string{ + "Team": "platform", + "Service": "api", + }, + }, + }, + } + + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + + assert.Contains(t, output, "**Resource Tags:**") + assert.Contains(t, output, "`Team` = `platform`") + assert.Contains(t, output, "`Service` = `api`") +} + +func TestRenderFindingMarkdown_WithAccountID(t *testing.T) { + // Verify that AccountID is rendered in the finding details. + report := &Report{ + GeneratedAt: fixedTime, + TotalFindings: 1, + SeverityCounts: map[Severity]int{SeverityMedium: 1}, + Findings: []Finding{ + { + ID: "acct-001", + Title: "Finding with account", + Severity: SeverityMedium, + Source: SourceSecurityHub, + ResourceARN: "arn:aws:s3:::test", + AccountID: "123456789012", + }, + }, + } + + renderer := NewReportRenderer(FormatMarkdown) + var buf bytes.Buffer + err := renderer.RenderSecurityReport(&buf, report) + require.NoError(t, err) + + output := buf.String() + assert.Contains(t, output, "| **Account** | 123456789012 |") +} diff --git a/pkg/aws/security/types.go b/pkg/aws/security/types.go new file mode 100644 index 0000000000..9f5264dfa7 --- /dev/null +++ b/pkg/aws/security/types.go @@ -0,0 +1,178 @@ +package security + +import ( + "strings" + "time" + + errUtils "github.com/cloudposse/atmos/errors" + "github.com/cloudposse/atmos/pkg/schema" +) + +// Severity represents a security finding severity level. +type Severity string + +const ( + SeverityCritical Severity = "CRITICAL" + SeverityHigh Severity = "HIGH" + SeverityMedium Severity = "MEDIUM" + SeverityLow Severity = "LOW" + SeverityInformational Severity = "INFORMATIONAL" +) + +// Source represents the AWS security service that generated a finding. +type Source string + +const ( + SourceSecurityHub Source = "security-hub" + SourceConfig Source = "config" + SourceInspector Source = "inspector" + SourceGuardDuty Source = "guardduty" + SourceMacie Source = "macie" + SourceAccessAnalyzer Source = "access-analyzer" + SourceAll Source = "all" +) + +// MappingConfidence represents how confident the finding-to-code mapping is. +type MappingConfidence string + +const ( + ConfidenceExact MappingConfidence = "exact" // Tag-based (Path A). + ConfidenceHigh MappingConfidence = "high" // Terraform state match. + ConfidenceMedium MappingConfidence = "medium" // Naming convention match. + ConfidenceLow MappingConfidence = "low" // Resource type + AI inference. + ConfidenceNone MappingConfidence = "none" // No match found. +) + +// Finding represents a normalized security finding from any AWS security service. +type Finding struct { + ID string `json:"id" yaml:"id"` + Title string `json:"title" yaml:"title"` + Description string `json:"description" yaml:"description"` + Severity Severity `json:"severity" yaml:"severity"` + Source Source `json:"source" yaml:"source"` + ComplianceStandard string `json:"compliance_standard,omitempty" yaml:"compliance_standard,omitempty"` + SecurityControlID string `json:"security_control_id,omitempty" yaml:"security_control_id,omitempty"` // Per-control ID (e.g., "EC2.18") for compliance deduplication. + ResourceARN string `json:"resource_arn" yaml:"resource_arn"` + ResourceType string `json:"resource_type" yaml:"resource_type"` + ResourceTags map[string]string `json:"resource_tags,omitempty" yaml:"resource_tags,omitempty"` // Tags from the Security Hub finding (no extra API call needed). + AccountID string `json:"account_id" yaml:"account_id"` + Region string `json:"region" yaml:"region"` + CreatedAt time.Time `json:"created_at" yaml:"created_at"` + UpdatedAt time.Time `json:"updated_at" yaml:"updated_at"` + Mapping *ComponentMapping `json:"mapping,omitempty" yaml:"mapping,omitempty"` + Remediation *Remediation `json:"remediation,omitempty" yaml:"remediation,omitempty"` +} + +// ComponentMapping represents the resolved mapping from a finding to an Atmos component/stack. +type ComponentMapping struct { + Stack string `json:"stack" yaml:"stack"` + Component string `json:"component" yaml:"component"` + ComponentPath string `json:"component_path" yaml:"component_path"` + Workspace string `json:"workspace,omitempty" yaml:"workspace,omitempty"` + Mapped bool `json:"mapped" yaml:"mapped"` + Confidence MappingConfidence `json:"confidence" yaml:"confidence"` + Method string `json:"method" yaml:"method"` // How the mapping was determined (e.g., "tag", "state", "naming", "ai"). +} + +// Remediation contains AI-generated remediation details for a finding. +// This is the output contract — every AI provider must populate these fields +// following the same structure, ensuring consistent and reproducible output. +type Remediation struct { + Description string `json:"description" yaml:"description"` // Brief summary of the remediation. + RootCause string `json:"root_cause,omitempty" yaml:"root_cause,omitempty"` // Why this finding exists in the infrastructure. + Steps []string `json:"steps,omitempty" yaml:"steps,omitempty"` // Ordered remediation steps. + CodeChanges []CodeChange `json:"code_changes,omitempty" yaml:"code_changes,omitempty"` // Specific Terraform/HCL changes. + StackChanges string `json:"stack_changes,omitempty" yaml:"stack_changes,omitempty"` // Specific stack YAML changes. + DeployCommand string `json:"deploy_command,omitempty" yaml:"deploy_command,omitempty"` // atmos terraform apply -s . + RiskLevel string `json:"risk_level,omitempty" yaml:"risk_level,omitempty"` // low, medium, high. + References []string `json:"references,omitempty" yaml:"references,omitempty"` // AWS docs, CIS benchmarks, etc. +} + +// CodeChange represents a specific code change in a Terraform file. +type CodeChange struct { + FilePath string `json:"file_path" yaml:"file_path"` + Line int `json:"line,omitempty" yaml:"line,omitempty"` + Before string `json:"before" yaml:"before"` + After string `json:"after" yaml:"after"` +} + +// Report represents a complete security or compliance analysis report. +type Report struct { + GeneratedAt time.Time `json:"generated_at" yaml:"generated_at"` + Stack string `json:"stack,omitempty" yaml:"stack,omitempty"` + Component string `json:"component,omitempty" yaml:"component,omitempty"` + TotalFindings int `json:"total_findings" yaml:"total_findings"` + SeverityCounts map[Severity]int `json:"severity_counts" yaml:"severity_counts"` + Findings []Finding `json:"findings" yaml:"findings"` + MappedCount int `json:"mapped_count" yaml:"mapped_count"` + UnmappedCount int `json:"unmapped_count" yaml:"unmapped_count"` + TagMapping *AWSSecurityTagMapping `json:"-" yaml:"-"` // Display-only: configured tag keys for unmapped findings message. + GroupFindings bool `json:"-" yaml:"-"` // Display-only: group duplicate findings in Markdown output. +} + +// AWSSecurityTagMapping is re-exported from schema for use in reports. +type AWSSecurityTagMapping = schema.AWSSecurityTagMapping + +// ComplianceReport represents a compliance posture report for a specific framework. +type ComplianceReport struct { + GeneratedAt time.Time `json:"generated_at" yaml:"generated_at"` + Stack string `json:"stack,omitempty" yaml:"stack,omitempty"` + Framework string `json:"framework" yaml:"framework"` + FrameworkTitle string `json:"framework_title" yaml:"framework_title"` + TotalControls int `json:"total_controls" yaml:"total_controls"` + PassingControls int `json:"passing_controls" yaml:"passing_controls"` + FailingControls int `json:"failing_controls" yaml:"failing_controls"` + ScorePercent float64 `json:"score_percent" yaml:"score_percent"` + FailingDetails []ComplianceControl `json:"failing_details" yaml:"failing_details"` +} + +// ComplianceControl represents a single compliance control and its status. +type ComplianceControl struct { + ControlID string `json:"control_id" yaml:"control_id"` + Title string `json:"title" yaml:"title"` + Severity Severity `json:"severity" yaml:"severity"` + Component string `json:"component,omitempty" yaml:"component,omitempty"` + Stack string `json:"stack,omitempty" yaml:"stack,omitempty"` + Remediation *Remediation `json:"remediation,omitempty" yaml:"remediation,omitempty"` +} + +// QueryOptions contains the filter options for fetching security findings. +type QueryOptions struct { + Stack string + Component string + Severity []Severity + Source Source + Framework string + MaxFindings int + Region string + NoAI bool +} + +// MaxFindingsForLookup is the default max findings when looking up a specific finding by ID. +const MaxFindingsForLookup = 500 + +// OutputFormat represents the desired output format. +type OutputFormat string + +const ( + FormatMarkdown OutputFormat = "markdown" + FormatJSON OutputFormat = "json" + FormatYAML OutputFormat = "yaml" + FormatCSV OutputFormat = "csv" +) + +// ParseOutputFormat validates a format string and returns the corresponding OutputFormat. +func ParseOutputFormat(format string) (OutputFormat, error) { + switch strings.ToLower(format) { + case "markdown", "md", "": + return FormatMarkdown, nil + case "json": + return FormatJSON, nil + case "yaml", "yml": + return FormatYAML, nil + case "csv": + return FormatCSV, nil + default: + return "", errUtils.ErrAWSSecurityInvalidFormat + } +} diff --git a/pkg/aws/security/types_test.go b/pkg/aws/security/types_test.go new file mode 100644 index 0000000000..6e1d2fe730 --- /dev/null +++ b/pkg/aws/security/types_test.go @@ -0,0 +1,55 @@ +package security + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + errUtils "github.com/cloudposse/atmos/errors" +) + +func TestParseOutputFormat(t *testing.T) { + tests := []struct { + name string + input string + expected OutputFormat + wantErr bool + }{ + {"markdown", "markdown", FormatMarkdown, false}, + {"md alias", "md", FormatMarkdown, false}, + {"empty defaults to markdown", "", FormatMarkdown, false}, + {"json", "json", FormatJSON, false}, + {"yaml", "yaml", FormatYAML, false}, + {"yml alias", "yml", FormatYAML, false}, + {"csv", "csv", FormatCSV, false}, + {"case insensitive", "JSON", FormatJSON, false}, + {"mixed case", "Yaml", FormatYAML, false}, + {"invalid", "xml", "", true}, + {"invalid format", "html", "", true}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result, err := ParseOutputFormat(tt.input) + if tt.wantErr { + require.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, tt.expected, result) + } + }) + } +} + +func TestParseOutputFormat_ErrorType(t *testing.T) { + // Verify that invalid format errors return the correct sentinel. + invalidFormats := []string{"xml", "html", "text", "pdf", " "} + + for _, format := range invalidFormats { + t.Run(format, func(t *testing.T) { + _, err := ParseOutputFormat(format) + require.ErrorIs(t, err, errUtils.ErrAWSSecurityInvalidFormat) + }) + } +} diff --git a/pkg/devcontainer/lifecycle_rebuild_test.go b/pkg/devcontainer/lifecycle_rebuild_test.go index 9fc34241a5..cbd862f621 100644 --- a/pkg/devcontainer/lifecycle_rebuild_test.go +++ b/pkg/devcontainer/lifecycle_rebuild_test.go @@ -409,7 +409,7 @@ func TestManager_Rebuild(t *testing.T) { Context: ".", Dockerfile: "Dockerfile", Args: map[string]string{ - "ATMOS_VERSION": "1.214.0", + "ATMOS_VERSION": "1.215.0", }, }, } @@ -431,7 +431,7 @@ func TestManager_Rebuild(t *testing.T) { assert.Equal(t, ".", buildConfig.Context) assert.Equal(t, "Dockerfile", buildConfig.Dockerfile) assert.Equal(t, []string{"atmos-devcontainer-geodesic"}, buildConfig.Tags) - assert.Equal(t, map[string]string{"ATMOS_VERSION": "1.214.0"}, buildConfig.Args) + assert.Equal(t, map[string]string{"ATMOS_VERSION": "1.215.0"}, buildConfig.Args) return nil }) // Pull is NOT called for locally built images since they don't exist diff --git a/pkg/schema/ai.go b/pkg/schema/ai.go index ea2ec191c5..131840b0e3 100644 --- a/pkg/schema/ai.go +++ b/pkg/schema/ai.go @@ -20,6 +20,7 @@ type AISettings struct { Instructions AIInstructionsSettings `yaml:"instructions,omitempty" json:"instructions,omitempty" mapstructure:"instructions"` WebSearch AIWebSearchSettings `yaml:"web_search,omitempty" json:"web_search,omitempty" mapstructure:"web_search"` Context AIContextSettings `yaml:"context,omitempty" json:"context,omitempty" mapstructure:"context"` + // Security settings have been moved to AWS.Security (see aws.go). } // AIProviderConfig contains configuration for a specific AI provider. diff --git a/pkg/schema/aws.go b/pkg/schema/aws.go new file mode 100644 index 0000000000..3e387c9f07 --- /dev/null +++ b/pkg/schema/aws.go @@ -0,0 +1,6 @@ +package schema + +// AWSSettings contains configuration for AWS-specific features. +type AWSSettings struct { + Security AWSSecuritySettings `yaml:"security,omitempty" json:"security,omitempty" mapstructure:"security"` +} diff --git a/pkg/schema/aws_security.go b/pkg/schema/aws_security.go new file mode 100644 index 0000000000..5f8c95896a --- /dev/null +++ b/pkg/schema/aws_security.go @@ -0,0 +1,52 @@ +package schema + +// AWSSecuritySettings contains configuration for AWS security and compliance features. +type AWSSecuritySettings struct { + Enabled bool `yaml:"enabled,omitempty" json:"enabled,omitempty" mapstructure:"enabled"` + Identity string `yaml:"identity,omitempty" json:"identity,omitempty" mapstructure:"identity"` // Atmos Auth identity for AWS credential injection. + Region string `yaml:"region,omitempty" json:"region,omitempty" mapstructure:"region"` // Default AWS region (e.g., Security Hub aggregation region). + Sources AWSSecuritySources `yaml:"sources,omitempty" json:"sources,omitempty" mapstructure:"sources"` + DefaultSeverity []string `yaml:"default_severity,omitempty" json:"default_severity,omitempty" mapstructure:"default_severity"` // Default severity filter (e.g., ["CRITICAL", "HIGH"]). + MaxFindings int `yaml:"max_findings,omitempty" json:"max_findings,omitempty" mapstructure:"max_findings"` // Maximum findings per analysis run (controls AI costs). + TagMapping AWSSecurityTagMapping `yaml:"tag_mapping,omitempty" json:"tag_mapping,omitempty" mapstructure:"tag_mapping"` + AccountMap map[string]string `yaml:"account_map,omitempty" json:"account_map,omitempty" mapstructure:"account_map"` // Account ID → name for account-level findings. + Frameworks []string `yaml:"frameworks,omitempty" json:"frameworks,omitempty" mapstructure:"frameworks"` // Compliance frameworks to track (e.g., ["cis-aws", "pci-dss"]). +} + +// AWSSecuritySources controls which AWS security services to query. +type AWSSecuritySources struct { + SecurityHub bool `yaml:"security_hub,omitempty" json:"security_hub,omitempty" mapstructure:"security_hub"` + Config bool `yaml:"config,omitempty" json:"config,omitempty" mapstructure:"config"` + Inspector bool `yaml:"inspector,omitempty" json:"inspector,omitempty" mapstructure:"inspector"` + GuardDuty bool `yaml:"guardduty,omitempty" json:"guardduty,omitempty" mapstructure:"guardduty"` + Macie bool `yaml:"macie,omitempty" json:"macie,omitempty" mapstructure:"macie"` + AccessAnalyzer bool `yaml:"access_analyzer,omitempty" json:"access_analyzer,omitempty" mapstructure:"access_analyzer"` +} + +// AWSSecurityTagMapping configures the tag keys used for finding-to-code mapping. +// Only two tags are needed: one for the stack name and one for the component name. +// These are configurable so organizations can use their own tagging standards. +type AWSSecurityTagMapping struct { + StackTag string `yaml:"stack_tag,omitempty" json:"stack_tag,omitempty" mapstructure:"stack_tag"` // Default: "atmos:stack". + ComponentTag string `yaml:"component_tag,omitempty" json:"component_tag,omitempty" mapstructure:"component_tag"` // Default: "atmos:component". +} + +// DefaultAWSSecurityTagMapping returns the default tag mapping for finding-to-code resolution. +func DefaultAWSSecurityTagMapping() AWSSecurityTagMapping { + return AWSSecurityTagMapping{ + StackTag: "atmos:stack", + ComponentTag: "atmos:component", + } +} + +// DefaultAWSSecuritySources returns default AWS security sources (Security Hub primary). +func DefaultAWSSecuritySources() AWSSecuritySources { + return AWSSecuritySources{ + SecurityHub: true, + Config: true, + Inspector: true, + GuardDuty: true, + Macie: false, + AccessAnalyzer: false, + } +} diff --git a/pkg/schema/schema.go b/pkg/schema/schema.go index 6388508841..6bd9f74947 100644 --- a/pkg/schema/schema.go +++ b/pkg/schema/schema.go @@ -104,6 +104,8 @@ type AtmosConfiguration struct { CI CIConfig `yaml:"ci,omitempty" json:"ci,omitempty" mapstructure:"ci"` // AI settings. AI AISettings `yaml:"ai,omitempty" json:"ai,omitempty" mapstructure:"ai"` + // AWS settings. + AWS AWSSettings `yaml:"aws,omitempty" json:"aws,omitempty" mapstructure:"aws"` // MCP (Model Context Protocol) server settings. MCP MCPSettings `yaml:"mcp,omitempty" json:"mcp,omitempty" mapstructure:"mcp"` // LSP settings. diff --git a/pkg/ui/formatter.go b/pkg/ui/formatter.go index 5f7a7f78ec..6c7f2f7725 100644 --- a/pkg/ui/formatter.go +++ b/pkg/ui/formatter.go @@ -970,7 +970,11 @@ func (f *formatter) renderMarkdown(content string, preserveNewlines bool) (strin opts = append(opts, glamour.WithPreservedNewLines()) } - // Use theme-aware glamour styles + // Use atmos-configured color profile (not glamour's auto-detection) to ensure + // consistent color rendering across all output paths. + opts = append(opts, glamour.WithColorProfile(lipgloss.DefaultRenderer().ColorProfile())) + + // Use theme-aware glamour styles. if f.terminal.ColorProfile() != terminal.ColorNone { themeName := f.ioCtx.Config().AtmosConfig.Settings.Terminal.Theme if themeName == "" { @@ -980,7 +984,7 @@ func (f *formatter) renderMarkdown(content string, preserveNewlines bool) (strin if err == nil { opts = append(opts, glamour.WithStylesFromJSONBytes(glamourStyle)) } - // Fallback to notty style if theme conversion fails + // Fallback to notty style if theme conversion fails. } else { opts = append(opts, glamour.WithStylePath("notty")) } diff --git a/tests/fixtures/scenarios/native-ci/github-output.txt b/tests/fixtures/scenarios/native-ci/github-output.txt index f64f0a9312..ff3e4ce171 100644 --- a/tests/fixtures/scenarios/native-ci/github-output.txt +++ b/tests/fixtures/scenarios/native-ci/github-output.txt @@ -42,3 +42,84 @@ atmos terraform plan mycomponent -s prod EOF exit_code=0 has_changes=false +summary< [![create](https://shields.io/badge/PLAN-CREATE-success?style=for-the-badge)](#user-content-create-prod-mycomponent) +
Plan: 1 to add, 0 to change, 0 to destroy. + +
+To reproduce this locally, run:

+ +```shell +atmos terraform plan mycomponent -s prod +``` + +--- + +### Create +```diff ++ null_resource.test +``` +
+ +
Terraform Plan Summary + +```hcl + + + # null_resource.test will be created + + resource "null_resource" "test" { + + id = (known after apply) + + triggers = { + + "test" = "test" + } + } + +Plan: 1 to add, 0 to change, 0 to destroy. + +Changes to Outputs: + + bar = "bar prod override" + + baz = "baz catalog default" + + foo = "foo prod override" +╷ +│ Warning: Value for undeclared variable +│ +│ The root module does not declare a variable named "stage" but a value was +│ found in file "prod-mycomponent.terraform.tfvars.json". If you meant to use +│ this value, add a "variable" block to the configuration. +│ +│ To silence these warnings, use TF_VAR_... environment variables to provide +│ certain "global" settings to all configurations in your organization. To +│ reduce the verbosity of these warnings, use the -compact-warnings option. +╵ + + +Workspace "prod-mycomponent" doesn't exist. + +You can create this workspace with the "new" subcommand +or include the "-or-create" flag with the "select" subcommand. + +``` + +
+ + +> [!WARNING] +> ``` +> Warning: Value for undeclared variable +> +> The root module does not declare a variable named "stage" but a value was +> found in file "prod-mycomponent.terraform.tfvars.json". If you meant to use +> this value, add a "variable" block to the configuration. +> +> To silence these warnings, use TF_VAR_... environment variables to provide +> certain "global" settings to all configurations in your organization. To +> reduce the verbosity of these warnings, use the -compact-warnings option. +> ``` + +EOF +has_changes=true +has_errors=false +exit_code=0 diff --git a/tests/fixtures/scenarios/native-ci/github-step-summary.txt b/tests/fixtures/scenarios/native-ci/github-step-summary.txt index c424000c07..ec36e662c3 100644 --- a/tests/fixtures/scenarios/native-ci/github-step-summary.txt +++ b/tests/fixtures/scenarios/native-ci/github-step-summary.txt @@ -30,3 +30,78 @@ atmos terraform plan mycomponent -s prod --- + +## Changes Found for `mycomponent` in `prod` + + [![create](https://shields.io/badge/PLAN-CREATE-success?style=for-the-badge)](#user-content-create-prod-mycomponent) +
Plan: 1 to add, 0 to change, 0 to destroy. + +
+To reproduce this locally, run:

+ +```shell +atmos terraform plan mycomponent -s prod +``` + +--- + +### Create +```diff ++ null_resource.test +``` +
+ +
Terraform Plan Summary + +```hcl + + + # null_resource.test will be created + + resource "null_resource" "test" { + + id = (known after apply) + + triggers = { + + "test" = "test" + } + } + +Plan: 1 to add, 0 to change, 0 to destroy. + +Changes to Outputs: + + bar = "bar prod override" + + baz = "baz catalog default" + + foo = "foo prod override" +╷ +│ Warning: Value for undeclared variable +│ +│ The root module does not declare a variable named "stage" but a value was +│ found in file "prod-mycomponent.terraform.tfvars.json". If you meant to use +│ this value, add a "variable" block to the configuration. +│ +│ To silence these warnings, use TF_VAR_... environment variables to provide +│ certain "global" settings to all configurations in your organization. To +│ reduce the verbosity of these warnings, use the -compact-warnings option. +╵ + + +Workspace "prod-mycomponent" doesn't exist. + +You can create this workspace with the "new" subcommand +or include the "-or-create" flag with the "select" subcommand. + +``` + +
+ + +> [!WARNING] +> ``` +> Warning: Value for undeclared variable +> +> The root module does not declare a variable named "stage" but a value was +> found in file "prod-mycomponent.terraform.tfvars.json". If you meant to use +> this value, add a "variable" block to the configuration. +> +> To silence these warnings, use TF_VAR_... environment variables to provide +> certain "global" settings to all configurations in your organization. To +> reduce the verbosity of these warnings, use the -compact-warnings option. +> ``` diff --git a/tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden b/tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden index 43ec2e7569..84057ac21c 100644 --- a/tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden +++ b/tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden @@ -285,6 +285,12 @@ "web_search": {}, "context": {} }, + "aws": { + "security": { + "sources": {}, + "tag_mapping": {} + } + }, "mcp": { "routing": {} }, diff --git a/tests/snapshots/TestCLICommands_secrets-masking_describe_config.stdout.golden b/tests/snapshots/TestCLICommands_secrets-masking_describe_config.stdout.golden index 9b2ecb6b0e..d724324f48 100644 --- a/tests/snapshots/TestCLICommands_secrets-masking_describe_config.stdout.golden +++ b/tests/snapshots/TestCLICommands_secrets-masking_describe_config.stdout.golden @@ -290,6 +290,12 @@ "web_search": {}, "context": {} }, + "aws": { + "security": { + "sources": {}, + "tag_mapping": {} + } + }, "mcp": { "routing": {} }, diff --git a/website/blog/2026-04-03-aws-security-compliance.mdx b/website/blog/2026-04-03-aws-security-compliance.mdx new file mode 100644 index 0000000000..4e76c43022 --- /dev/null +++ b/website/blog/2026-04-03-aws-security-compliance.mdx @@ -0,0 +1,365 @@ +--- +slug: aws-security-compliance +title: "Analyze AWS Security Findings and Map Them to Your Infrastructure" +authors: [aknysh] +tags: [feature] +--- + +import File from '@site/src/components/File' +import ActionCard from '@site/src/components/ActionCard' +import PrimaryCTA from '@site/src/components/PrimaryCTA' + +Atmos can now pull security findings from AWS Security Hub, map them to the exact Atmos +components and stacks that manage the affected resources, and generate structured remediation +reports — all from a single command. + + + +## Why This Matters + +Reviewing AWS security findings today means navigating Security Hub, cross-referencing resources +with Terraform code, and manually figuring out which stack configuration caused the issue. This is +slow and requires deep AWS + Terraform expertise. + +With `atmos aws security analyze`, one command replaces that entire workflow: + +```bash +atmos aws security analyze --stack prod-us-east-1 +``` + +The command fetches findings, maps them to your Atmos components via resource tags, and shows +which code manages each affected resource. Add `--ai` for AI-powered remediation with specific +code changes and deploy commands. + +## Quick Start + + +```yaml +aws: + security: + enabled: true + identity: "security-readonly" # Atmos Auth identity → Security Hub account + region: "us-east-2" # Security Hub aggregation region + tag_mapping: + stack_tag: "atmos:stack" + component_tag: "atmos:component" +``` + + +```bash +# Authenticate and analyze +atmos auth login +atmos aws security analyze +atmos aws security analyze --ai # With AI remediation +``` + +## What You Get + +**Without `--ai`** — findings with component mapping: + +```text +## CRITICAL Findings (2) + +### 1. S3 bucket without encryption + +| Field | Value | +|-------|-------| +| **Severity** | CRITICAL | +| **Source** | security-hub (CIS-1.4) | +| **Resource** | `arn:aws:s3:::my-bucket` | +| **Component** | s3-bucket | +| **Stack** | prod-us-east-1 | +| **Confidence** | exact | +``` + +**With `--ai`** — adds structured remediation: + +```text +#### Remediation + +**Root Cause:** The S3 bucket was provisioned without enabling versioning. + +**Steps:** +1. Add versioning_enabled variable to the stack configuration +2. Apply the change + +**Stack Changes:** + vars: + versioning_enabled: true + +**Deploy:** `atmos terraform apply s3-bucket -s prod-us-east-1` + +**Risk:** low +``` + +## Key Features + +- **Finding-to-code mapping** — traces AWS resources back to Atmos components via tags or naming heuristics +- **Atmos Auth integration** — `identity` field targets the Security Hub delegated admin account +- **Multi-turn AI analysis** — API providers can call `atmos_describe_component`, `read_component_file` to gather context before generating remediation +- **CLI provider support** — Claude Code and Codex CLI fall back to enriched single-prompt mode +- **Compliance reports** — `atmos aws compliance report --framework cis-aws` for framework-specific posture +- **Four output formats** — Markdown (terminal), JSON (CI/CD), YAML (config), CSV (spreadsheets) +- **Structured schema** — every output follows the same schema regardless of AI provider + +## Commands + +```bash +# All findings across all stacks +atmos aws security analyze + +# Filter by stack and/or component +atmos aws security analyze --stack prod-us-east-1 +atmos aws security analyze --stack prod-us-east-1 --component vpc + +# Filter by severity or source +atmos aws security analyze --severity critical,high --source guardduty + +# AI-powered remediation (deduplicates findings, retries on errors) +atmos aws security analyze --stack prod-us-east-1 --ai + +# Save to file in any format +atmos aws security analyze --format json --file findings.json +atmos aws security analyze --stack prod-us-east-1 --file report.md +atmos aws security analyze --format csv --file audit.csv + +# Compliance reports +atmos aws compliance report --framework cis-aws +atmos aws compliance report --framework pci-dss --format json --file compliance.json + +# Override identity or region at runtime +atmos aws security analyze --identity security-admin --region us-west-2 +``` + +## See It in Action + +Tested against a multi-account AWS organization (11 accounts, Security Hub delegated admin, +500 findings fetched, 97% mapped to Atmos components). + +**Without `--ai`** — findings mapped to components: + +```text +$ atmos aws security analyze --stack plat-use2-dev --component rds/example + +ℹ Fetching security findings... +ℹ Mapping 500 findings to Atmos components... +ℹ Filtered to 4 findings matching stack="plat-use2-dev" component="rds/example" + +# Security Report: plat-use2-dev / rds/example + +Findings: 4 (1 CRITICAL, 3 HIGH) + +## CRITICAL Findings (1) + +### 1. Security groups should not allow unrestricted access to ports with high risk + +| Field | Value | +|----------------|--------------------------------------------------------------| +| **Severity** | CRITICAL | +| **Source** | security-hub (aws-foundational-security-best-practices/1.0) | +| **Resource** | arn:aws:ec2:us-east-2:***:security-group/sg-*** | +| **Component** | rds/example | +| **Stack** | plat-use2-dev | +| **Confidence** | exact | +| **Mapped By** | finding-tag | + +Resource Tags: + +• atmos_stack = plat-use2-dev +• atmos_component = rds/example +• terraform_component = rds +• terraform_workspace = plat-use2-dev-rds-example +• Name = acme-plat-use2-dev-example-postgres-db +• Namespace = acme +• Tenant = plat +• Environment = use2 +• Stage = dev + +## HIGH Findings (3) +1. Security groups should only allow unrestricted incoming traffic for authorized ports +2. Security groups should not allow ingress from 0.0.0.0/0 to port 22 +3. Security groups should not allow ingress from 0.0.0.0/0 to port 3389 + +## Summary +| Severity | Count | Mapped | Unmapped | +|-----------|-------|--------|----------| +| CRITICAL | 1 | 1 | 0 | +| HIGH | 3 | 3 | 0 | +| **Total** | **4** | **4** | **0** | +``` + +**With `--ai`** — the AI reads the actual Terraform source and stack config via tools, +detects drift, and generates targeted remediation: + +```text +$ atmos aws security analyze --stack plat-use2-dev --component rds/example --ai + +ℹ Analyzing findings with AI... + +✓ AI analysis complete — Security Analysis: rds/example in plat-use2-dev + +## Summary + +The analysis surfaced 4 findings against a single security group — all mapped +with exact confidence to this component via Atmos tags. + +| Severity | Count | +|-------------|-------| +| 🔴 CRITICAL | 1 | +| 🟠 HIGH | 3 | + +## Findings Breakdown + +### 🟠 Finding 1 — EC2.18: Unrestricted Ingress on Unauthorized Port (HIGH) + +Standard: AWS Foundational Security Best Practices v1.0.0 + +Port 5432 (PostgreSQL) is open to 0.0.0.0/0. The likely cause is +allowed_cidr_blocks being set to an overly permissive value — potentially +from commented-out lines in catalog/rds/defaults.yaml that were activated +at some point. + +Fix: Set in catalog/rds/example.yaml: + allowed_cidr_blocks: [] + publicly_accessible: false + +### 🟠 Finding 2 — EC2.13: Unrestricted Ingress on Port 22/SSH (HIGH) + +Standard: CIS AWS Foundations Benchmark v1.2.0 + +⚠️ This is anomalous — port 22 has no business being on an RDS security +group. This strongly suggests an out-of-band manual change was made directly +in the AWS Console, or a referenced SG in associate_security_group_ids +carries a port-22 rule. + +Fix: +1. Immediately audit and manually remove the port-22 rule in the AWS Console +2. Audit any SGs referenced via associate_security_group_ids / security_group_ids +3. Re-apply via Terraform to restore IaC control and eliminate drift + +## Root Cause (Common Thread) + +Both findings stem from the same security group and share a root cause: +var.allowed_cidr_blocks being set too permissively, compounded by possible +out-of-band drift. The cloudposse/rds/aws module internally creates and +manages SG ingress rules based on this variable. + +## Priority Actions + +1. Immediately remove the port-22 inbound rule manually — this is likely + out-of-band drift and poses direct unauthorized access risk + +2. Update catalog/rds/example.yaml to explicitly enforce safe defaults: + allowed_cidr_blocks: [] + publicly_accessible: false + associate_security_group_ids: [] + use_private_subnets: true + +3. Add Terraform validation guards to rds-variables.tf to prevent future + regressions: + validation { + condition = !contains(var.allowed_cidr_blocks, "0.0.0.0/0") + && !contains(var.allowed_cidr_blocks, "::/0") + error_message = "allowed_cidr_blocks must not contain 0.0.0.0/0 or ::/0." + } + +4. Clean up catalog/rds/defaults.yaml — permanently remove (don't just + comment out) any lines with 0.0.0.0/0 or publicly_accessible: true + +5. Plan then apply: + atmos terraform plan rds/example -s plat-use2-dev + atmos terraform apply rds/example -s plat-use2-dev + +## Risk Assessment + +| Finding | Risk | Note | +|----------------------|--------|---------------------------------------------------| +| EC2.18 (port 5432) | Medium | Removing rule breaks direct internet connections | +| | | to DB; client SG-based connections are unaffected | +| EC2.13 (port 22/SSH) | Low | No RDS traffic should depend on SSH; removing | +| | | has no expected legitimate impact | +``` + +The AI used multi-turn tools (`atmos_describe_component`, `read_component_file`) to read +the actual Terraform source and stack config, detected that port 22 on an RDS security group +is anomalous (likely AWS Console drift), identified the common root cause in +`allowed_cidr_blocks`, and generated targeted remediation with Terraform validation guards +to prevent future regressions. Duplicate findings are deduplicated before AI analysis — +one call covers all related findings. + +**Compliance report** — framework-specific posture scoring: + +```text +$ atmos aws compliance report + +# Compliance Report: CIS AWS Foundations Benchmark + +## Score: 35/42 Controls Passing (83%) + +### Failing Controls + +| Control | Title | Severity | +|--------------|--------------------------------------------------------------------------|----------| +| Config.1 | AWS Config should be enabled with service-linked role | CRITICAL | +| EC2.14 | Security groups should not allow ingress from 0.0.0.0/0 to port 3389 | HIGH | +| EC2.13 | Security groups should not allow ingress from 0.0.0.0/0 to port 22 | HIGH | +| S3.1 | S3 buckets should have block public access settings enabled | MEDIUM | +| EC2.6 | VPC flow logging should be enabled in all VPCs | MEDIUM | +| IAM.17 | Ensure IAM password policy expires passwords within 90 days | LOW | +| CloudTrail.7 | Ensure S3 bucket access logging is enabled on CloudTrail S3 bucket | LOW | +``` + +**Compliance with `--ai`** — adds prioritized remediation guidance: + +```text +$ atmos aws compliance report --ai + +✓ AI analysis complete — CIS Foundations Benchmark + +## Overall Status: 🟡 83% Compliant (35/42 controls passing) + +## 🚨 Priority Issues (Fix First) + +### CRITICAL +| Control | Issue | Action | +|----------|-----------------------------------------|--------------------------------------| +| Config.1 | AWS Config not enabled or missing role | Enable in all regions, attach role | + +### HIGH +| Control | Issue | Action | +|---------|-----------------------------------|-----------------------------------------| +| EC2.14 | RDP (port 3389) open to 0.0.0.0/0 | Restrict to known IP ranges or VPN | +| EC2.13 | SSH (port 22) open to 0.0.0.0/0 | Use SSM Session Manager instead of SSH | + +⚠️ Open SSH/RDP to the world is a common attack vector. + +## 🟠 Medium Priority +• S3.1 — Enable S3 Block Public Access at the account level +• EC2.6 — Enable VPC Flow Logs for all VPCs + +## 🟢 Low Priority +• IAM.17 — Set IAM password policy MaxPasswordAge to ≤ 90 days +• CloudTrail.7 — Enable S3 access logging on CloudTrail bucket + +## Recommended Next Steps +1. Lock down security groups for ports 22/3389 +2. Enable AWS Config — also helps detect future drift +3. Run `atmos terraform apply` on security-groups, vpc, config components +4. Re-run this report after remediation to verify score improves +``` + +## Try It + + + Configuration example with auth, tag mapping, AI provider, and all available commands. +
+ Browse Example +
+ + +## Learn More + +- [Security Configuration](/cli/configuration/aws/security) +- [Security Analyze Command](/cli/commands/aws/security/analyze) +- [Compliance Report Command](/cli/commands/aws/compliance/report) +- [Atmos Auth](/cli/configuration/auth) diff --git a/website/docs/cheatsheets/commands.mdx b/website/docs/cheatsheets/commands.mdx index b19b828033..e96ea804b0 100644 --- a/website/docs/cheatsheets/commands.mdx +++ b/website/docs/cheatsheets/commands.mdx @@ -205,7 +205,7 @@ import CardGroup from '@site/src/components/CardGroup' - + ``` atmos aws eks update-kubeconfig ``` diff --git a/website/docs/cli/commands/auth/auth-login.mdx b/website/docs/cli/commands/auth/auth-login.mdx index 9eb74c0d6c..9fdeec685a 100644 --- a/website/docs/cli/commands/auth/auth-login.mdx +++ b/website/docs/cli/commands/auth/auth-login.mdx @@ -137,7 +137,7 @@ Successfully authenticated as dev-admin ✓ EKS kubeconfig: dev-eks → ~/.config/atmos/kube/config ``` -Integration failures are non-blocking - your identity authentication succeeds even if an integration fails. You can retry integrations separately using [`atmos aws ecr login`](/cli/commands/aws/ecr-login) or [`atmos aws eks update-kubeconfig --integration`](/cli/commands/aws/eks-update-kubeconfig). +Integration failures are non-blocking - your identity authentication succeeds even if an integration fails. You can retry integrations separately using [`atmos aws ecr login`](/cli/commands/aws/ecr-login) or [`atmos aws eks update-kubeconfig --integration`](/cli/commands/aws/eks/update-kubeconfig). See [ECR Authentication Tutorial](/tutorials/ecr-authentication) and [EKS Kubeconfig Authentication Tutorial](/tutorials/eks-kubeconfig-authentication) for detailed configuration examples. diff --git a/website/docs/cli/commands/aws/aws-eks-token.mdx b/website/docs/cli/commands/aws/aws-eks-token.mdx index f7b99523bd..dbb865caf7 100644 --- a/website/docs/cli/commands/aws/aws-eks-token.mdx +++ b/website/docs/cli/commands/aws/aws-eks-token.mdx @@ -118,5 +118,5 @@ This means kubectl automatically calls `atmos aws eks token` whenever it needs a - [Auth Login Command](/cli/commands/auth/login) — Authenticate with identities and auto-provision kubeconfig - [EKS Kubeconfig Authentication Tutorial](/tutorials/eks-kubeconfig-authentication) — Step-by-step EKS setup guide -- [AWS EKS Update Kubeconfig](/cli/commands/aws/eks-update-kubeconfig) — Download kubeconfig from EKS clusters +- [AWS EKS Update Kubeconfig](/cli/commands/aws/eks/update-kubeconfig) — Download kubeconfig from EKS clusters - [Auth Configuration](/cli/configuration/auth) — Configure providers, identities, and integrations diff --git a/website/docs/cli/commands/aws/compliance/_category_.json b/website/docs/cli/commands/aws/compliance/_category_.json new file mode 100644 index 0000000000..965f1e41ae --- /dev/null +++ b/website/docs/cli/commands/aws/compliance/_category_.json @@ -0,0 +1,8 @@ +{ + "label": "compliance", + "className": "command", + "link": { + "type": "doc", + "id": "cli/commands/aws/compliance/compliance" + } +} diff --git a/website/docs/cli/commands/aws/compliance/compliance.mdx b/website/docs/cli/commands/aws/compliance/compliance.mdx new file mode 100644 index 0000000000..7b57c6356b --- /dev/null +++ b/website/docs/cli/commands/aws/compliance/compliance.mdx @@ -0,0 +1,29 @@ +--- +title: atmos aws compliance +sidebar_label: compliance +sidebar_class_name: command +id: compliance +description: AWS compliance commands for generating posture reports against industry frameworks +--- +import Intro from '@site/src/components/Intro' +import Screengrab from '@site/src/components/Screengrab' +import DocCardList from '@theme/DocCardList' +import Experimental from '@site/src/components/Experimental' + + +Commands for generating compliance posture reports against industry frameworks. + + + + + + +## Usage + +```shell +atmos aws compliance [flags] +``` + +## Subcommands + + diff --git a/website/docs/cli/commands/aws/compliance/report.mdx b/website/docs/cli/commands/aws/compliance/report.mdx new file mode 100644 index 0000000000..7a626d5244 --- /dev/null +++ b/website/docs/cli/commands/aws/compliance/report.mdx @@ -0,0 +1,192 @@ +--- +title: atmos aws compliance report +sidebar_label: report +sidebar_class_name: command +id: report +description: Generate compliance posture reports against industry frameworks like CIS AWS, PCI DSS, SOC2, HIPAA, and NIST +--- +import Screengrab from '@site/src/components/Screengrab' +import Terminal from '@site/src/components/Terminal' +import DocCardList from '@theme/DocCardList' +import Intro from '@site/src/components/Intro' +import Experimental from '@site/src/components/Experimental' + + +Generate compliance posture reports against industry frameworks. Retrieves compliance status from AWS Security Hub enabled standards, maps failing controls to Atmos components, and generates reports with remediation guidance. + + + + + + +## Description + +The `atmos aws compliance report` command retrieves compliance status from AWS Security Hub enabled standards, maps failing controls to Atmos components that manage the affected resources, and generates reports. It supports multiple compliance frameworks and produces actionable reports that identify exactly which Terraform components need changes to achieve compliance. + +Use it for: +- **Compliance Audits**: Generate reports showing your posture against specific compliance frameworks +- **Remediation Planning**: Identify which Atmos components need changes to fix failing controls +- **Multi-Framework Assessment**: Evaluate your infrastructure against multiple standards simultaneously +- **Continuous Compliance**: Integrate into CI/CD pipelines to track compliance drift over time + +## Usage + +```shell +atmos aws compliance report [flags] +``` + +## Flags + +
+
`--stack, -s`
+
Filter compliance results to a specific Atmos stack (e.g., `prod-us-east-1`).
+ +
`--framework`
+
Compliance framework to evaluate against: `cis-aws`, `pci-dss`, `soc2`, `hipaa`, `nist`. When omitted, reports on all enabled frameworks.
+ +
`--format, -f`
+
Output format: `markdown`, `json`, `yaml`, `csv` (default: `markdown`).
+ +
`--file`
+
Write output to a file instead of stdout. Creates parent directories if they don't exist.
+ +
`--controls`
+
Comma-separated list of specific control IDs to evaluate (e.g., `CIS.1.1,CIS.1.2`).
+ +
`--identity, -i`
+
Atmos Auth identity for AWS credentials (overrides `aws.security.identity` config).
+ +
`--ai`
+
Enable AI-powered analysis of the compliance report. The global `--ai` flag captures the report output and sends it to the configured AI provider for a summary with remediation guidance for each failing control.
+
+ +## Examples + +### Basic Usage + + +```bash +# CIS AWS Foundations Benchmark report +atmos aws compliance report --framework cis-aws --stack prod-us-east-1 + +# PCI DSS compliance status +atmos aws compliance report --framework pci-dss + +# All frameworks for a stack +atmos aws compliance report --stack prod-us-east-1 +``` + + +### Output Formats + + +```bash +# Output as JSON for automation +atmos aws compliance report --framework cis-aws --format json + +# Markdown report for documentation +atmos aws compliance report --framework soc2 --stack prod-us-east-1 --format markdown +``` + + +### AI-Powered Analysis + + +```bash +# Get AI remediation guidance for failing controls +atmos aws compliance report --ai + +# AI analysis for a specific framework +atmos aws compliance report --framework cis-aws --ai +``` + + +### Saving to a File + + +```bash +# Save markdown report to a file +atmos aws compliance report --framework hipaa --file hipaa-report.md + +# Save JSON report to a file +atmos aws compliance report --framework pci-dss --format json --file pci-report.json + +# Save to a nested directory (created automatically) +atmos aws compliance report --framework cis-aws --format json --file reports/compliance/cis.json +``` + + +### Targeted Evaluation + + +```bash +# Check specific controls +atmos aws compliance report --framework cis-aws --controls CIS.1.1,CIS.1.2,CIS.2.1 + +# NIST framework for production +atmos aws compliance report --framework nist --stack prod-us-east-1 + +# Multiple stacks comparison +for stack in dev-us-east-1 staging-us-east-1 prod-us-east-1; do + echo "=== $stack ===" + atmos aws compliance report --framework cis-aws --stack "$stack" --format json --file "compliance-${stack}.json" +done +``` + + +### CI/CD Integration + + +```bash +# Compliance gate in pipeline +atmos aws compliance report --framework pci-dss --stack prod-us-east-1 --format json --file compliance.json +if jq -e '.failing_controls | length > 0' compliance.json; then + echo "PCI DSS compliance failures detected" + exit 1 +fi + +# Generate compliance report as a deployment artifact +atmos aws compliance report --stack prod-us-east-1 --file compliance-report.md +``` + + +## Supported Frameworks + +
+
`cis-aws`
+
CIS AWS Foundations Benchmark. Industry-standard security configuration guidelines for AWS accounts.
+ +
`pci-dss`
+
Payment Card Industry Data Security Standard. Required for organizations that handle credit card data.
+ +
`soc2`
+
SOC 2 (Service Organization Control 2). Trust service criteria for security, availability, processing integrity, confidentiality, and privacy.
+ +
`hipaa`
+
Health Insurance Portability and Accountability Act. Required for organizations handling protected health information (PHI).
+ +
`nist`
+
NIST 800-53. Security and privacy controls for federal information systems and organizations.
+
+ +## Configuration + +Configure the compliance command in your `atmos.yaml` under the `aws.security` section: + +```yaml +aws: + security: + enabled: true + identity: "security-readonly" # Atmos Auth identity + region: "us-east-2" # Security Hub aggregation region + frameworks: + - cis-aws + - pci-dss +``` + +## Related Commands + + diff --git a/website/docs/cli/commands/aws/eks/_category_.json b/website/docs/cli/commands/aws/eks/_category_.json new file mode 100644 index 0000000000..b57c963c6c --- /dev/null +++ b/website/docs/cli/commands/aws/eks/_category_.json @@ -0,0 +1,8 @@ +{ + "label": "eks", + "className": "command", + "link": { + "type": "doc", + "id": "cli/commands/aws/eks/eks" + } +} diff --git a/website/docs/cli/commands/aws/eks/eks.mdx b/website/docs/cli/commands/aws/eks/eks.mdx new file mode 100644 index 0000000000..9d69dd518c --- /dev/null +++ b/website/docs/cli/commands/aws/eks/eks.mdx @@ -0,0 +1,26 @@ +--- +title: atmos aws eks +sidebar_label: eks +sidebar_class_name: command +id: eks +description: AWS EKS commands for managing Elastic Kubernetes Service clusters +--- +import Intro from '@site/src/components/Intro' +import Screengrab from '@site/src/components/Screengrab' +import DocCardList from '@theme/DocCardList' + + +Commands for managing AWS EKS (Elastic Kubernetes Service) clusters. + + + + +## Usage + +```shell +atmos aws eks [flags] +``` + +## Subcommands + + diff --git a/website/docs/cli/commands/aws/aws-eks-update-kubeconfig.mdx b/website/docs/cli/commands/aws/eks/update-kubeconfig.mdx similarity index 99% rename from website/docs/cli/commands/aws/aws-eks-update-kubeconfig.mdx rename to website/docs/cli/commands/aws/eks/update-kubeconfig.mdx index c8bf39a608..f5e8b0679e 100644 --- a/website/docs/cli/commands/aws/aws-eks-update-kubeconfig.mdx +++ b/website/docs/cli/commands/aws/eks/update-kubeconfig.mdx @@ -1,8 +1,8 @@ --- title: atmos aws eks update-kubeconfig -sidebar_label: eks update-kubeconfig +sidebar_label: update-kubeconfig sidebar_class_name: command -id: eks-update-kubeconfig +id: update-kubeconfig description: Use this command to download `kubeconfig` from an EKS cluster and saves it to a file. --- import Screengrab from '@site/src/components/Screengrab' diff --git a/website/docs/cli/commands/aws/security/_category_.json b/website/docs/cli/commands/aws/security/_category_.json new file mode 100644 index 0000000000..d900e2e9f7 --- /dev/null +++ b/website/docs/cli/commands/aws/security/_category_.json @@ -0,0 +1,8 @@ +{ + "label": "security", + "className": "command", + "link": { + "type": "doc", + "id": "cli/commands/aws/security/security" + } +} diff --git a/website/docs/cli/commands/aws/security/analyze.mdx b/website/docs/cli/commands/aws/security/analyze.mdx new file mode 100644 index 0000000000..552e9399a2 --- /dev/null +++ b/website/docs/cli/commands/aws/security/analyze.mdx @@ -0,0 +1,215 @@ +--- +title: atmos aws security analyze +sidebar_label: analyze +sidebar_class_name: command +id: analyze +description: Analyze AWS security findings and map them to Atmos components and stacks with optional AI-powered remediation guidance +--- +import Screengrab from '@site/src/components/Screengrab' +import Terminal from '@site/src/components/Terminal' +import DocCardList from '@theme/DocCardList' +import Intro from '@site/src/components/Intro' +import ActionCard from '@site/src/components/ActionCard' +import PrimaryCTA from '@site/src/components/PrimaryCTA' +import Experimental from '@site/src/components/Experimental' + + +Analyze AWS security findings from Security Hub, Config, Inspector, and GuardDuty, then map them to the Atmos components and stacks that manage the affected resources. Generates remediation reports with optional AI-powered analysis. + + + + + + +## Description + +The `atmos aws security analyze` command connects to AWS security services via Atmos Auth, retrieves security findings, and maps them to the Terraform/Atmos components that manage the affected resources. By default, it works without any AI provider. When the `--ai` flag is passed, it uses the configured AI provider to analyze each finding and generate remediation guidance with concrete code changes. + +Use it for: +- **Security Posture Review**: Get a prioritized view of security findings mapped to your Atmos components and stacks +- **Remediation Planning**: Use `--ai` for AI-generated code changes to fix security issues in your Terraform components +- **CI/CD Integration**: Export findings as JSON or CSV for automated security gates in deployment pipelines +- **Compliance Reporting**: Filter findings by severity, source, or compliance framework for targeted reports + +## Usage + +```shell +atmos aws security analyze [flags] +``` + +## Flags + +
+
`--stack, -s`
+
Filter findings to a specific Atmos stack (e.g., `prod-us-east-1`).
+ +
`--component, -c`
+
Filter findings to a specific Atmos component (e.g., `vpc`, `eks`).
+ +
`--severity`
+
Comma-separated list of severity levels (case-insensitive): `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`. Default: `critical,high`.
+ +
`--source`
+
Filter findings by source service: `security-hub`, `config`, `inspector`, `guardduty`, `macie`, `access-analyzer`, `all` (default: `all`).
+ +
`--format, -f`
+
Output format: `markdown`, `json`, `yaml`, `csv` (default: `markdown`).
+ +
`--file`
+
Write output to a file instead of stdout. Creates parent directories if they don't exist.
+ +
`--max-findings`
+
Maximum number of findings to retrieve and analyze (default: `500`).
+ +
`--ai`
+
Enable AI-powered analysis and remediation suggestions. Requires `ai.enabled: true` in your `atmos.yaml`.
+ +
`--region`
+
AWS region to query for findings (overrides `aws.security.region` config).
+ +
`--identity, -i`
+
Atmos Auth identity for AWS credentials (overrides `aws.security.identity` config).
+ +
`--framework`
+
Filter findings by compliance framework (e.g., `cis-aws`, `pci-dss`).
+ +
`--no-group`
+
Disable grouping of duplicate findings. By default, findings with the same title are collapsed into a summary table. Use `--no-group` to show each finding individually with full tags — useful for AI pipelines and detailed analysis.
+
+ +## Examples + +### Basic Usage + + +```bash +# Analyze findings for a specific stack +atmos aws security analyze --stack prod-us-east-1 + +# Filter by severity +atmos aws security analyze --stack prod-us-east-1 --severity critical,high + +# Filter by source service +atmos aws security analyze --stack prod-us-east-1 --source security-hub +``` + + +### AI-Powered Analysis + + +```bash +# Enable AI analysis for remediation guidance +atmos aws security analyze --stack prod-us-east-1 --ai + +# AI analysis for critical findings only +atmos aws security analyze --stack prod-us-east-1 --severity critical --ai +``` + + +### Output Formats + + +```bash +# Output as JSON for CI/CD integration +atmos aws security analyze --stack prod-us-east-1 --format json + +# Output as CSV for compliance reporting +atmos aws security analyze --format csv > findings.csv + +# Markdown report for documentation +atmos aws security analyze --stack prod-us-east-1 --format markdown --severity critical,high +``` + + +### Filtering and Targeting + + +```bash +# Findings for a specific component +atmos aws security analyze --stack prod-us-east-1 --component vpc + +# Limit number of findings +atmos aws security analyze --stack prod-us-east-1 --max-findings 20 + +# Filter by compliance framework +atmos aws security analyze --stack prod-us-east-1 --framework cis-aws +``` + + +### Saving to a File + + +```bash +# Save markdown report to a file +atmos aws security analyze --stack prod-us-east-1 --file security-report.md + +# Save JSON findings to a file +atmos aws security analyze --stack prod-us-east-1 --format json --file findings.json + +# Save to a nested directory (created automatically) +atmos aws security analyze --stack prod-us-east-1 --format json --file reports/security/findings.json +``` + + +### CI/CD Integration + + +```bash +# Security gate in pipeline +atmos aws security analyze --stack prod-us-east-1 --severity critical --format json --file security.json +if jq -e '.findings | length > 0' security.json; then + echo "Critical security findings detected" + exit 1 +fi + +# Generate security report as a deployment artifact +atmos aws security analyze --stack prod-us-east-1 \ + --severity critical,high \ + --file security-report.md +``` + + +## Configuration + +Configure the security command in your `atmos.yaml` under the `aws.security` section: + +```yaml +aws: + security: + enabled: true + identity: "security-readonly" # Atmos Auth identity + region: "us-east-2" # Security Hub aggregation region + default_severity: + - CRITICAL + - HIGH + sources: + security_hub: true + inspector: true + guardduty: true + max_findings: 50 + tag_mapping: + stack_tag: "atmos:stack" + component_tag: "atmos:component" + account_map: # For account-level findings + "123456789012": "prod" + "234567890123": "security" +``` + +To enable AI-powered analysis with the `--ai` flag, also configure your AI provider: + +```yaml +ai: + enabled: true + default_provider: bedrock + providers: + bedrock: + model: anthropic.claude-sonnet-4-6-20250514-v1:0 + base_url: us-east-1 +``` + +## Related Commands + + diff --git a/website/docs/cli/commands/aws/security/security.mdx b/website/docs/cli/commands/aws/security/security.mdx new file mode 100644 index 0000000000..331da83c7b --- /dev/null +++ b/website/docs/cli/commands/aws/security/security.mdx @@ -0,0 +1,29 @@ +--- +title: atmos aws security +sidebar_label: security +sidebar_class_name: command +id: security +description: AWS security commands for analyzing findings and mapping them to Atmos components +--- +import Intro from '@site/src/components/Intro' +import Screengrab from '@site/src/components/Screengrab' +import DocCardList from '@theme/DocCardList' +import Experimental from '@site/src/components/Experimental' + + +Commands for analyzing AWS security findings and mapping them to Atmos components. + + + + + + +## Usage + +```shell +atmos aws security [flags] +``` + +## Subcommands + + diff --git a/website/docs/cli/commands/aws/usage.mdx b/website/docs/cli/commands/aws/usage.mdx index 6652475b4c..7eb0523d8a 100644 --- a/website/docs/cli/commands/aws/usage.mdx +++ b/website/docs/cli/commands/aws/usage.mdx @@ -7,20 +7,11 @@ description: Atmos AWS Commands import Screengrab from '@site/src/components/Screengrab' import DocCardList from '@theme/DocCardList' import Intro from '@site/src/components/Intro' -import ActionCard from '@site/src/components/ActionCard' -import PrimaryCTA from '@site/src/components/PrimaryCTA' -Use these subcommands to interact with AWS. +Commands for working with AWS services — security analysis, compliance reporting, EKS cluster management, and more. - - Learn how to configure AWS authentication providers and identities. -
- Configuration Reference -
- - ## Usage diff --git a/website/docs/cli/configuration/aws/index.mdx b/website/docs/cli/configuration/aws/index.mdx new file mode 100644 index 0000000000..fc6f5904d2 --- /dev/null +++ b/website/docs/cli/configuration/aws/index.mdx @@ -0,0 +1,55 @@ +--- +title: AWS Configuration +sidebar_label: aws +sidebar_class_name: command +id: aws +description: Configure AWS-specific features in your `atmos.yaml`. +--- +import File from '@site/src/components/File' +import Terminal from '@site/src/components/Terminal' +import Intro from '@site/src/components/Intro' +import Experimental from '@site/src/components/Experimental' +import DocCardList from '@theme/DocCardList' + + +The `aws` section of the `atmos.yaml` configures AWS-specific features that integrate directly +with AWS services. Each subsection controls a different AWS capability. + + + + +## Quick Start + + +```yaml +aws: + security: + enabled: true +``` + + +## Configuration Reference + +### Top-Level Structure + + +```yaml +aws: + # Security scanning and compliance reporting + security: + enabled: true + # ... see Security documentation for full options +``` + + +## Sections + + + +## Related Commands + + diff --git a/website/docs/cli/configuration/aws/security.mdx b/website/docs/cli/configuration/aws/security.mdx new file mode 100644 index 0000000000..1979707ca3 --- /dev/null +++ b/website/docs/cli/configuration/aws/security.mdx @@ -0,0 +1,217 @@ +--- +title: Security Configuration +sidebar_label: security +sidebar_class_name: command +id: security +description: Configure AWS security scanning sources, severity filters, tag mapping, and compliance frameworks. +--- +import File from '@site/src/components/File' +import Terminal from '@site/src/components/Terminal' +import Intro from '@site/src/components/Intro' +import Experimental from '@site/src/components/Experimental' +import DocCardList from '@theme/DocCardList' + + +The `aws.security` section configures security scanning and compliance reporting for AWS resources. +It controls which AWS security services to query, severity filters, resource-to-component tag mapping, +and compliance frameworks. + + + + +## Quick Start + + +```yaml +aws: + security: + enabled: true + identity: "security-readonly" # Atmos Auth identity → Security Hub delegated admin + region: "us-east-2" # Security Hub aggregation region +``` + + +This enables security scanning with Atmos Auth credentials targeting the Security Hub +delegated admin account. Default sources: Security Hub, Config, Inspector, GuardDuty. +Default severity: `CRITICAL` and `HIGH`. + +## Full Configuration + + +```yaml +aws: + security: + enabled: true + + # Atmos Auth identity for AWS credentials (targets delegated admin account). + identity: "security-readonly" + + # Default AWS region (Security Hub aggregation region). + region: "us-east-2" + + # AWS security services to query + sources: + security_hub: true # AWS Security Hub (aggregates all services) + config: true # AWS Config compliance rules + inspector: true # Amazon Inspector vulnerability scans + guardduty: true # Amazon GuardDuty threat detection + macie: false # Amazon Macie sensitive data findings + access_analyzer: false # IAM Access Analyzer + + # Default severity filter (when --severity flag is not specified) + default_severity: + - CRITICAL + - HIGH + + # Maximum findings per analysis run + max_findings: 500 + + # Tag keys for mapping AWS resources to Atmos components + tag_mapping: + stack_tag: "atmos:stack" + component_tag: "atmos:component" + # Account names are resolved automatically via AWS Organizations DescribeAccount API. + # If account_map is configured, it takes priority (no API call for matched IDs). + # Use account_map only if Organizations access is unavailable. + # account_map: + # "123456789012": "prod" + # "234567890123": "security" + + # Compliance frameworks to track + frameworks: + - cis-aws + - pci-dss +``` + + +## Settings Reference + +
+
`enabled`
+
Enable AWS security and compliance features. Default: `false`.
+ +
`identity`
+
Atmos Auth identity for AWS credentials. Targets the account where Security Hub is the delegated administrator. Overridable with `--identity` / `-i` flag. See [Auth Configuration](/cli/configuration/auth) for identity setup.
+ +
`region`
+
Default AWS region for Security Hub queries (typically the finding aggregation region). Overridable with `--region` flag. Default: `us-east-1`.
+ +
`sources`
+
Configure which AWS security services to query for findings. See [Sources](#sources) below.
+ +
`default_severity`
+
Default severity filter when `--severity` flag is not specified. Valid values: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`. Default: `["CRITICAL", "HIGH"]`.
+ +
`max_findings`
+
Maximum findings per analysis run. Controls the number of findings fetched from AWS. Default: `500`.
+ +
`tag_mapping`
+
Tag keys used for mapping AWS resources back to Atmos components and stacks. See [Tag Mapping](#tag-mapping) below.
+ +
`account_map`
+
Optional static mapping of AWS account IDs to names. When configured, matched account IDs are resolved from this map without AWS API calls. For unmatched IDs, the system falls back to the AWS Organizations `DescribeAccount` API. Use this when Organizations access is unavailable or to override specific account names. Example: `"123456789012": "prod"`.
+ +
`frameworks`
+
Compliance frameworks to track with `atmos aws compliance report`. Supported: `cis-aws`, `pci-dss`, `soc2`, `hipaa`, `nist`.
+
+ +## Sources + +AWS Security Hub acts as a central aggregator for findings from multiple AWS security services. +Each source can be enabled or disabled independently. + +
+
`security_hub`
+
Query AWS Security Hub for aggregated findings from all integrated services. This is the primary source and should usually be enabled. Default: `true`.
+ +
`config`
+
Query AWS Config for configuration compliance rule evaluations. Detects resources that don't comply with your Config rules. Default: `true`.
+ +
`inspector`
+
Query Amazon Inspector for automated vulnerability assessments of EC2 instances, Lambda functions, and container images. Default: `true`.
+ +
`guardduty`
+
Query Amazon GuardDuty for intelligent threat detection findings. Identifies malicious activity and unauthorized behavior. Default: `true`.
+ +
`macie`
+
Query Amazon Macie for sensitive data discovery findings in S3 buckets. Useful for data classification and privacy compliance. Default: `false`.
+ +
`access_analyzer`
+
Query IAM Access Analyzer for findings about resources shared with external entities. Helps identify unintended public or cross-account access. Default: `false`.
+
+ +## Tag Mapping + +Atmos maps AWS resources to components and stacks using resource tags. These tags should be applied +to your AWS resources via Terraform. The default tags follow Atmos conventions. + +
+
`stack_tag`
+
Tag key identifying the Atmos stack. Default: `"atmos:stack"`.
+ +
`component_tag`
+
Tag key identifying the Atmos component. Default: `"atmos:component"`.
+ +
+ +### How Tag Mapping Works + +When a security finding is detected on an AWS resource, Atmos looks up the resource's tags to +determine which component and stack manage it. This enables targeted remediation guidance. + +If tags are not found, Atmos falls back to heuristic mapping using resource naming conventions +and resource type patterns. + + +```bash +# Ensure your Terraform components apply Atmos tags +# In your component's main.tf: +# tags = { +# "atmos:stack" = var.atmos_stack +# "atmos:component" = var.atmos_component +# } +``` + + +## Compliance Frameworks + +The `frameworks` list determines which compliance standards are reported by `atmos aws compliance report`. + +
+
`cis-aws`
+
CIS AWS Foundations Benchmark. Industry-standard security configuration guidelines.
+ +
`pci-dss`
+
Payment Card Industry Data Security Standard. Required for organizations handling credit card data.
+ +
`soc2`
+
SOC 2 Trust Service Criteria. Security, availability, processing integrity, confidentiality, and privacy.
+ +
`hipaa`
+
Health Insurance Portability and Accountability Act. Required for protected health information (PHI).
+ +
`nist`
+
NIST Cybersecurity Framework. Voluntary framework for managing cybersecurity risk.
+
+ +## AI-Powered Analysis + +By default, `atmos aws security analyze` works without any AI provider. To enable AI-powered root cause +analysis and remediation guidance, use the `--ai` flag: + + +```bash +atmos aws security analyze --stack prod-us-east-1 --ai +``` + + +This requires an AI provider to be configured in the `ai` section of `atmos.yaml`. +See [AI Configuration](/cli/configuration/ai) for setup. + +## Related + + diff --git a/website/docs/cli/global-flags.mdx b/website/docs/cli/global-flags.mdx index 79437da874..ce9e0db02b 100644 --- a/website/docs/cli/global-flags.mdx +++ b/website/docs/cli/global-flags.mdx @@ -590,6 +590,19 @@ All global flags can be set using environment variables. The precedence order is +### AI Integration Environment Variables + +
+
`ATMOS_AI`
+
+ Enable AI-powered analysis of command output. + - Equivalent to the `--ai` flag + - Set to `true` to enable AI analysis + - CLI flag takes precedence over this environment variable + - Example: `ATMOS_AI=true atmos aws security analyze -s prod` +
+
+ ### AI Assistant Environment Variables
@@ -762,6 +775,19 @@ export ATMOS_LOGS_LEVEL=Debug atmos describe config ``` +### AI-Powered Analysis Examples + +```bash +# Enable AI analysis for security findings +atmos aws security analyze --ai -s prod + +# Enable AI analysis via environment variable +ATMOS_AI=true atmos aws security analyze --severity=critical -s prod + +# AI analysis with compliance reports +atmos aws compliance report --ai --framework=cis-aws -s prod +``` + ### CI/CD Configuration ```bash diff --git a/website/docs/tutorials/eks-kubeconfig-authentication.mdx b/website/docs/tutorials/eks-kubeconfig-authentication.mdx index a9d89de4c7..f97ac17ba8 100644 --- a/website/docs/tutorials/eks-kubeconfig-authentication.mdx +++ b/website/docs/tutorials/eks-kubeconfig-authentication.mdx @@ -513,6 +513,6 @@ kubectl auth can-i --list --context dev-eks - [Auth Login Command](/cli/commands/auth/login) — Full login command reference - [AWS EKS Token Command](/cli/commands/aws/eks-token) — EKS token generation reference -- [AWS EKS Update Kubeconfig](/cli/commands/aws/eks-update-kubeconfig) — Update kubeconfig command reference +- [AWS EKS Update Kubeconfig](/cli/commands/aws/eks/update-kubeconfig) — Update kubeconfig command reference - [Auth Configuration](/cli/configuration/auth) — Complete configuration reference - [ECR Authentication Tutorial](/tutorials/ecr-authentication) — Similar integration pattern for container registries diff --git a/website/src/components/Screengrabs/atmos-aws-compliance--help.html b/website/src/components/Screengrabs/atmos-aws-compliance--help.html new file mode 100644 index 0000000000..d28a6df08a --- /dev/null +++ b/website/src/components/Screengrabs/atmos-aws-compliance--help.html @@ -0,0 +1,99 @@ + + + + + + + + +👽 test darwin/arm64 + + Commands for generating compliance posture reports against industry + frameworks. + +USAGE + + + $ atmos aws compliance [sub-command] [flags] + + +AVAILABLE COMMANDS + + report Generate compliance posture reports + +FLAGS + + -h, --help help for compliance + + +GLOBAL FLAGS + + -- Use double dashes to separate Atmos-specific options from native arguments and flags + for the command. + + --ai Enable AI-powered analysis of command output + + --base-path string Base path for Atmos project + + -C, --chdir string Change working directory before executing the command (run as if Atmos started in this + directory) + + --config strings Paths to configuration files (comma-separated or repeated flag) + + --config-path strings Paths to search for Atmos configuration (comma-separated or repeated flag) + + --force-color Force color output even when not a TTY (useful for screenshots) + + --force-tty Force TTY mode with sane defaults when terminal detection fails (useful for + screenshots) + + --heatmap Show performance heatmap visualization after command execution (includes P95 latency) + + --heatmap-mode string Heatmap visualization mode: bar, sparkline, table (press 1-3 to switch in TUI) (default + bar) + + --identity string Identity to use for authentication. Use --identity to select interactively, -- + identity=NAME to specify + + --interactive Enable interactive prompts for missing required flags, optional value flags using the + sentinel pattern, and missing positional arguments (requires TTY, disabled in CI) + (default true) + + --logs-file string The file to write Atmos logs to. Logs can be written to any file or any standard file + descriptor, including '/dev/stdout', '/dev/stderr' and '/dev/null' (default + /dev/stderr) + + --logs-level string Logs level. Supported log levels are Trace, Debug, Info, Warning, Off. If the log + level is set to Off, Atmos will not log any messages (default Warning) + + --mask Enable automatic masking of sensitive data in output (use --mask=false to disable) + (default true) + + --no-color Disable color output + + --pager string Enable pager for output (--pager or --pager=true to enable, --pager=false to disable, -- + pager=less to use specific pager) + + --profile strings Activate configuration profiles (comma-separated or repeated flag) + + --profile-file string Write profiling data to file instead of starting server + + --profile-type string Type of profile to collect when using --profile-file. Options: cpu, heap, allocs, + goroutine, block, mutex, threadcreate, trace (default cpu) + + --profiler-enabled Enable pprof profiling server + + --profiler-host string Host for pprof profiling server (default localhost) + + --profiler-port int Port for pprof profiling server (default 6060) + + --redirect-stderr string File descriptor to redirect stderr to. Errors can be redirected to any file or any + standard file descriptor (including '/dev/null') + + --use-version string Use a specific version of Atmos (e.g., --use-version=1.160.0) + + -v, --verbose Enable verbose error output with full context, stack traces, and detailed information + + + + Use atmos aws compliance [command] --help for more information about a command. diff --git a/website/src/components/Screengrabs/atmos-aws-compliance-report--help.html b/website/src/components/Screengrabs/atmos-aws-compliance-report--help.html new file mode 100644 index 0000000000..557b5126f8 --- /dev/null +++ b/website/src/components/Screengrabs/atmos-aws-compliance-report--help.html @@ -0,0 +1,128 @@ + + + + + + + + +👽 test darwin/arm64 + + Generate compliance posture reports against specific frameworks. + + Retrieves compliance status from AWS Security Hub enabled standards, maps + failing controls to Atmos components, and generates reports with remediation + guidance. + + ## Examples + + # CIS AWS Foundations Benchmark report + atmos aws compliance report --framework cis-aws --stack prod-us-east-1 + + # PCI DSS compliance status + atmos aws compliance report --framework pci-dss + + # All frameworks for a stack + atmos aws compliance report --stack prod-us-east-1 + + # Output as JSON + atmos aws compliance report --framework cis-aws --format json + + # Save report to a file + atmos aws compliance report --framework cis-aws --stack prod-us-east-1 -- + file compliance-report.md + + # Save JSON report to a file + atmos aws compliance report --framework pci-dss --format json --file pci- + report.json + +USAGE + + + $ atmos aws compliance report [flags] + + +FLAGS + + --controls string Specific control IDs to check + + --file string Write output to file instead of stdout + + -f, --format string Output format: markdown, json, yaml, csv (default markdown) + + --framework string Compliance framework: cis-aws, pci-dss, soc2, hipaa, nist + + -h, --help help for report + + -s, --stack string Target stack + + +GLOBAL FLAGS + + -- Use double dashes to separate Atmos-specific options from native arguments and flags + for the command. + + --ai Enable AI-powered analysis of command output + + --base-path string Base path for Atmos project + + -C, --chdir string Change working directory before executing the command (run as if Atmos started in this + directory) + + --config strings Paths to configuration files (comma-separated or repeated flag) + + --config-path strings Paths to search for Atmos configuration (comma-separated or repeated flag) + + --force-color Force color output even when not a TTY (useful for screenshots) + + --force-tty Force TTY mode with sane defaults when terminal detection fails (useful for + screenshots) + + --heatmap Show performance heatmap visualization after command execution (includes P95 latency) + + --heatmap-mode string Heatmap visualization mode: bar, sparkline, table (press 1-3 to switch in TUI) (default + bar) + + --identity string Identity to use for authentication. Use --identity to select interactively, -- + identity=NAME to specify + + --interactive Enable interactive prompts for missing required flags, optional value flags using the + sentinel pattern, and missing positional arguments (requires TTY, disabled in CI) + (default true) + + --logs-file string The file to write Atmos logs to. Logs can be written to any file or any standard file + descriptor, including '/dev/stdout', '/dev/stderr' and '/dev/null' (default + /dev/stderr) + + --logs-level string Logs level. Supported log levels are Trace, Debug, Info, Warning, Off. If the log + level is set to Off, Atmos will not log any messages (default Warning) + + --mask Enable automatic masking of sensitive data in output (use --mask=false to disable) + (default true) + + --no-color Disable color output + + --pager string Enable pager for output (--pager or --pager=true to enable, --pager=false to disable, -- + pager=less to use specific pager) + + --profile strings Activate configuration profiles (comma-separated or repeated flag) + + --profile-file string Write profiling data to file instead of starting server + + --profile-type string Type of profile to collect when using --profile-file. Options: cpu, heap, allocs, + goroutine, block, mutex, threadcreate, trace (default cpu) + + --profiler-enabled Enable pprof profiling server + + --profiler-host string Host for pprof profiling server (default localhost) + + --profiler-port int Port for pprof profiling server (default 6060) + + --redirect-stderr string File descriptor to redirect stderr to. Errors can be redirected to any file or any + standard file descriptor (including '/dev/null') + + --use-version string Use a specific version of Atmos (e.g., --use-version=1.160.0) + + -v, --verbose Enable verbose error output with full context, stack traces, and detailed information + + diff --git a/website/src/components/Screengrabs/atmos-aws-security--help.html b/website/src/components/Screengrabs/atmos-aws-security--help.html new file mode 100644 index 0000000000..4bca1b35fb --- /dev/null +++ b/website/src/components/Screengrabs/atmos-aws-security--help.html @@ -0,0 +1,99 @@ + + + + + + + + +👽 test darwin/arm64 + + Commands for analyzing AWS security findings and mapping them to Atmos + components. + +USAGE + + + $ atmos aws security [sub-command] [flags] + + +AVAILABLE COMMANDS + + analyze Analyze AWS security findings for Atmos stacks + +FLAGS + + -h, --help help for security + + +GLOBAL FLAGS + + -- Use double dashes to separate Atmos-specific options from native arguments and flags + for the command. + + --ai Enable AI-powered analysis of command output + + --base-path string Base path for Atmos project + + -C, --chdir string Change working directory before executing the command (run as if Atmos started in this + directory) + + --config strings Paths to configuration files (comma-separated or repeated flag) + + --config-path strings Paths to search for Atmos configuration (comma-separated or repeated flag) + + --force-color Force color output even when not a TTY (useful for screenshots) + + --force-tty Force TTY mode with sane defaults when terminal detection fails (useful for + screenshots) + + --heatmap Show performance heatmap visualization after command execution (includes P95 latency) + + --heatmap-mode string Heatmap visualization mode: bar, sparkline, table (press 1-3 to switch in TUI) (default + bar) + + --identity string Identity to use for authentication. Use --identity to select interactively, -- + identity=NAME to specify + + --interactive Enable interactive prompts for missing required flags, optional value flags using the + sentinel pattern, and missing positional arguments (requires TTY, disabled in CI) + (default true) + + --logs-file string The file to write Atmos logs to. Logs can be written to any file or any standard file + descriptor, including '/dev/stdout', '/dev/stderr' and '/dev/null' (default + /dev/stderr) + + --logs-level string Logs level. Supported log levels are Trace, Debug, Info, Warning, Off. If the log + level is set to Off, Atmos will not log any messages (default Warning) + + --mask Enable automatic masking of sensitive data in output (use --mask=false to disable) + (default true) + + --no-color Disable color output + + --pager string Enable pager for output (--pager or --pager=true to enable, --pager=false to disable, -- + pager=less to use specific pager) + + --profile strings Activate configuration profiles (comma-separated or repeated flag) + + --profile-file string Write profiling data to file instead of starting server + + --profile-type string Type of profile to collect when using --profile-file. Options: cpu, heap, allocs, + goroutine, block, mutex, threadcreate, trace (default cpu) + + --profiler-enabled Enable pprof profiling server + + --profiler-host string Host for pprof profiling server (default localhost) + + --profiler-port int Port for pprof profiling server (default 6060) + + --redirect-stderr string File descriptor to redirect stderr to. Errors can be redirected to any file or any + standard file descriptor (including '/dev/null') + + --use-version string Use a specific version of Atmos (e.g., --use-version=1.160.0) + + -v, --verbose Enable verbose error output with full context, stack traces, and detailed information + + + + Use atmos aws security [command] --help for more information about a command. diff --git a/website/src/components/Screengrabs/atmos-aws-security-analyze--help.html b/website/src/components/Screengrabs/atmos-aws-security-analyze--help.html new file mode 100644 index 0000000000..dad0c25612 --- /dev/null +++ b/website/src/components/Screengrabs/atmos-aws-security-analyze--help.html @@ -0,0 +1,143 @@ + + + + + + + + +👽 test darwin/arm64 + + Analyze AWS security findings and map them to Atmos components and stacks. + + Connects to AWS Security Hub, Config, Inspector, GuardDuty, and other security + services via Atmos Auth, maps findings to the Terraform/Atmos components that + manage the affected resources, and generates remediation reports with concrete + code changes. + + ## Examples + + # Analyze findings for a specific stack + atmos aws security analyze --stack prod-us-east-1 + + # Filter by severity + atmos aws security analyze --stack prod-us-east-1 --severity critical,high + + # Filter by source service + atmos aws security analyze --stack prod-us-east-1 --source security-hub + + # Output as JSON for CI/CD integration + atmos aws security analyze --stack prod-us-east-1 --format json + + # Enable AI-powered analysis + atmos aws security analyze --stack prod-us-east-1 --ai + + # Output as CSV for compliance reporting + atmos aws security analyze --format csv > findings.csv + + # Save report to a file + atmos aws security analyze --stack prod-us-east-1 --file security-report.md + + # Save JSON report to a file + atmos aws security analyze --stack prod-us-east-1 --format json --file + findings.json + +USAGE + + + $ atmos aws security analyze [flags] + + +FLAGS + + -c, --component string Target component within the stack + + --file string Write output to file instead of stdout + + -f, --format string Output format: markdown, json, yaml, csv (default markdown) + + --framework string Compliance framework filter + + -h, --help help for analyze + + --max-findings int Maximum findings to analyze (default 50) + + --region string AWS region override + + --severity string Comma-separated severity filter (default critical,high) + + --source string Finding source: security-hub, config, inspector, guardduty, macie, access-analyzer, all + (default all) + + -s, --stack string Target stack to analyze + + +GLOBAL FLAGS + + -- Use double dashes to separate Atmos-specific options from native arguments and flags + for the command. + + --ai Enable AI-powered analysis of command output + + --base-path string Base path for Atmos project + + -C, --chdir string Change working directory before executing the command (run as if Atmos started in this + directory) + + --config strings Paths to configuration files (comma-separated or repeated flag) + + --config-path strings Paths to search for Atmos configuration (comma-separated or repeated flag) + + --force-color Force color output even when not a TTY (useful for screenshots) + + --force-tty Force TTY mode with sane defaults when terminal detection fails (useful for + screenshots) + + --heatmap Show performance heatmap visualization after command execution (includes P95 latency) + + --heatmap-mode string Heatmap visualization mode: bar, sparkline, table (press 1-3 to switch in TUI) (default + bar) + + --identity string Identity to use for authentication. Use --identity to select interactively, -- + identity=NAME to specify + + --interactive Enable interactive prompts for missing required flags, optional value flags using the + sentinel pattern, and missing positional arguments (requires TTY, disabled in CI) + (default true) + + --logs-file string The file to write Atmos logs to. Logs can be written to any file or any standard file + descriptor, including '/dev/stdout', '/dev/stderr' and '/dev/null' (default + /dev/stderr) + + --logs-level string Logs level. Supported log levels are Trace, Debug, Info, Warning, Off. If the log + level is set to Off, Atmos will not log any messages (default Warning) + + --mask Enable automatic masking of sensitive data in output (use --mask=false to disable) + (default true) + + --no-color Disable color output + + --pager string Enable pager for output (--pager or --pager=true to enable, --pager=false to disable, -- + pager=less to use specific pager) + + --profile strings Activate configuration profiles (comma-separated or repeated flag) + + --profile-file string Write profiling data to file instead of starting server + + --profile-type string Type of profile to collect when using --profile-file. Options: cpu, heap, allocs, + goroutine, block, mutex, threadcreate, trace (default cpu) + + --profiler-enabled Enable pprof profiling server + + --profiler-host string Host for pprof profiling server (default localhost) + + --profiler-port int Port for pprof profiling server (default 6060) + + --redirect-stderr string File descriptor to redirect stderr to. Errors can be redirected to any file or any + standard file descriptor (including '/dev/null') + + --use-version string Use a specific version of Atmos (e.g., --use-version=1.160.0) + + -v, --verbose Enable verbose error output with full context, stack traces, and detailed information + + diff --git a/website/src/data/roadmap.js b/website/src/data/roadmap.js index 954a74eb12..4233965f2f 100644 --- a/website/src/data/roadmap.js +++ b/website/src/data/roadmap.js @@ -575,6 +575,36 @@ export const roadmapConfig = { { number: 1972, title: 'Implement custom secrets masking patterns and fix output routing' }, ], }, + { + id: 'aws-security', + icon: 'RiShieldCheckLine', + title: 'AWS Security & Compliance', + tagline: 'Security findings mapped to your infrastructure code', + description: + 'Detect, review, and analyze security findings from AWS Security Hub, Config, Inspector, and GuardDuty — directly from the Atmos CLI. Findings are mapped back to Atmos components and stacks, with optional AI-powered remediation guidance via any supported AI provider.', + progress: 80, + status: 'in-progress', + milestones: [ + { label: 'Schema additions for `aws.security` config', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'Added AWSSettings, AWSSecuritySettings, AWSSecuritySources, and AWSSecurityTagMapping types to pkg/schema/.', benefits: 'Configure security scanning behavior directly in atmos.yaml.' }, + { label: 'AWS security client package', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'Created pkg/aws/security/ with clients for Security Hub, Config, Inspector, and GuardDuty. Interface-driven design with mock support.', benefits: 'Unified access to all AWS security services from a single package.' }, + { label: 'Tag-based finding-to-code mapping', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'Map findings to Atmos components using atmos:stack and atmos:component resource tags via Resource Groups Tagging API.', benefits: 'Instant, deterministic mapping from security findings to the exact Terraform code that manages the affected resource.' }, + { label: 'Heuristic finding-to-code mapping', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'Multi-strategy heuristic pipeline for resources without atmos tags: naming convention analysis and resource type matching.', benefits: 'Security analysis works even without resource tags. Multiple strategies provide confidence-scored matches.' }, + { label: '`atmos aws security analyze` CLI command', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', docs: '/cli/commands/aws/security/analyze', prd: 'atmos-aws-security-compliance', description: 'Primary command for security analysis. Fetches findings, maps to components, and generates reports with severity and source filtering.', benefits: 'Single command replaces navigating multiple AWS console pages. See all findings mapped to your infrastructure code.' }, + { label: '`atmos aws compliance report` CLI command', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', docs: '/cli/commands/aws/compliance/report', prd: 'atmos-aws-security-compliance', description: 'Compliance posture reports against CIS AWS, PCI DSS, SOC 2, HIPAA, and NIST frameworks.', benefits: 'Compliance score at a glance. Failing controls mapped to components with remediation steps.' }, + { label: 'Multi-format output (Markdown, JSON, YAML, CSV)', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'All commands support --format flag for different output formats. Markdown for terminal, structured formats for automation.', benefits: 'Pipe findings to dashboards, ticketing systems, Slack, or compliance reporting tools.' }, + { label: 'AI-powered analysis via `--ai` flag', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'Opt-in AI analysis adds root cause analysis, code-level remediation guidance, and deploy commands using any supported AI provider.', benefits: 'AI reads your component source code and generates targeted fixes with exact atmos terraform apply commands.' }, + { label: 'AI tools for security (4 tools)', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'atmos_list_findings, atmos_describe_finding, atmos_analyze_finding, and atmos_compliance_report tools for AI and MCP clients.', benefits: 'Security analysis available to AI chat sessions and MCP-connected IDEs.' }, + { label: '`--ai` global persistent flag', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'Global --ai flag inherited by all subcommands. Enables AI-powered analysis with ATMOS_AI env var support.', benefits: 'Consistent AI opt-in across all commands. No per-command flag registration needed.' }, + { label: 'Finding cache infrastructure', status: 'shipped', quarter: 'q1-2026', pr: 2282, changelog: 'aws-security-compliance', prd: 'atmos-aws-security-compliance', description: 'Cache layer in pkg/aws/security/cache.go for finding results with TTL and invalidation.', benefits: 'Faster repeated queries. Reduced AWS API calls and costs.' }, + { label: 'Terraform state search for tagless mapping', status: 'planned', quarter: 'q2-2026', prd: 'atmos-aws-security-compliance', description: 'Scan Terraform state files to find resource ARNs, reusing the !terraform.state YAML function infrastructure.', benefits: 'Most reliable tagless mapping strategy. State file is the source of truth for managed resources.' }, + { label: 'AI-assisted inference for unmapped findings', status: 'planned', quarter: 'q2-2026', prd: 'atmos-aws-security-compliance', description: 'Send unmapped findings with candidate component list to AI for intelligent component inference.', benefits: 'AI resolves ambiguous matches using contextual clues when heuristic strategies fail.' }, + { label: 'Interactive AI Q&A with security context', status: 'planned', quarter: 'q2-2026', prd: 'atmos-aws-security-compliance', description: 'atmos ai chat with pre-loaded security context for follow-up questions about findings.', benefits: 'Ask follow-up questions about findings. Deep-dive into remediation strategies interactively.' }, + ], + issues: [], + prs: [ + { number: 2282, title: 'feat: AWS Security & Compliance — finding-to-code mapping with AI remediation' }, + ], + }, ], highlights: [