scorecard

package
v1.5.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2025 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Overview

Package scorecard handles the generation of "scores" for GCP infrastructure It uses a combination of:

Index

Constants

This section is empty.

Variables

View Source 
var Cmd = &cobra.Command{
	Use:   "scorecard",
	Short: "Print a scorecard of your GCP environment",
	Long: `Print a scorecard of your GCP environment, for resources and IAM policies in Cloud Asset Inventory (CAI) exports, and constraints and constraint templates from Config Validator policy library.

	Read from a bucket:
		  cft scorecard --policy-path <path-to>/policy-library \
			  --bucket <name-of-bucket-containing-cai-export>

	Read from a local directory:
		  cft scorecard --policy-path <path-to>/policy-library \
			  --dir-path <path-to-directory-containing-cai-export>

	Read from standard input:
		  cft scorecard --policy-path <path-to>/policy-library \
			  --stdin

	As of now, CAI export file names need to be: resource_inventory.json, iam_inventory.json, org_policy_inventory.json, access_policy_inventory.json

	`,
	Args: cobra.NoArgs,
	PreRunE: func(cmd *cobra.Command, args []string) error {
		if (flags.bucketName == "" && flags.dirPath == "" && !flags.stdin) ||
			(flags.bucketName != "" && flags.stdin) ||
			(flags.bucketName != "" && flags.dirPath != "") ||
			(flags.dirPath != "" && flags.stdin) {
			return fmt.Errorf("One and only one of bucket, dir-path, or stdin should be set")
		}

		return nil
	},
	RunE: func(cmd *cobra.Command, args []string) error {
		cmd.Println("Generating CFT scorecard")
		var err error
		ctx := context.Background()

		targetProjectID := flags.targetProjectID
		if targetProjectID == "" && flags.targetFolderID == "" && flags.targetOrgID == "" {
			targetProjectID = viper.GetString("google_project")
		}
		if flags.bucketName != "" && flags.refresh {
			if (targetProjectID == "" && flags.targetFolderID == "" && flags.targetOrgID == "") ||
				(targetProjectID != "" && flags.targetFolderID != "") ||
				(targetProjectID != "" && flags.targetOrgID != "") ||
				(flags.targetFolderID != "" && flags.targetOrgID != "") {
				return fmt.Errorf("When using --refresh and --bucket, one and only one of target-project, target-folder, or target-org should be set")
			}
		}
		inventory, err := NewInventory(flags.bucketName, flags.dirPath, flags.stdin, flags.refresh, WorkerSize(flags.workers),
			TargetProject(targetProjectID), TargetFolder(flags.targetFolderID), TargetOrg(flags.targetOrgID))
		if err != nil {
			return err
		}

		config, err := NewScoringConfig(ctx, flags.policyPath)
		if err != nil {
			return err
		}
		err = inventory.Score(config, flags.outputPath, viper.GetString("output-format"), flags.metadataFields)
		if err != nil {
			return err
		}

		return nil
	},
}

Cmd represents the base scorecard command

View Source 
var Log = log.New()

Log (log15) handler for Scorecard

Functions

This section is empty.

Types

type InventoryConfig 

type InventoryConfig struct {
	// contains filtered or unexported fields
}

InventoryConfig manages a CAI inventory

func NewInventory 

func NewInventory(bucketName, dirPath string, readFromStdin bool, refresh bool, options ...Option) (*InventoryConfig, error)

NewInventory creates a new CAI inventory manager

func (*InventoryConfig) Export 

func (inventory *InventoryConfig) Export() error

Export creates a new inventory export

func (*InventoryConfig) Score 

func (inventory *InventoryConfig) Score(config *ScoringConfig, outputPath string, outputFormat string, outputMetadataFields []string) error

Score creates a Scorecard for an inventory

type Option 

type Option func(*InventoryConfig)

Option for NewInventory

func TargetFolder added in v0.5.2 

func TargetFolder(folderID string) Option

TargetFolder sets the folder for collecting inventory data

func TargetOrg added in v0.5.2 

func TargetOrg(organizationID string) Option

TargetOrg sets the organzation for collecting inventory data

func TargetProject 

func TargetProject(projectID string) Option

TargetProject sets the project for collecting inventory data

func WorkerSize added in v0.5.2 

func WorkerSize(workers int) Option

WorkerSize sets the number of workers for running violations review concurrently

type RichViolation 

type RichViolation struct {
	*validator.Violation `json:"-"`
	Category             string // category of violation
	Resource             string
	Message              string
	Metadata             *structpb.Value `protobuf:"bytes,4,opt,name=metadata,proto3" json:"metadata,omitempty"`
	// contains filtered or unexported fields
}

RichViolation holds a violation with its category

type ScoringConfig 

type ScoringConfig struct {
	// contains filtered or unexported fields
}

ScoringConfig holds settings for generating a score

func NewScoringConfig 

func NewScoringConfig(ctx context.Context, policyPath string) (*ScoringConfig, error)

NewScoringConfig creates a scoring engine for the given policy library

func NewScoringConfigFromValidator added in v0.5.2 

func NewScoringConfigFromValidator(v *gcv.Validator) *ScoringConfig

NewScoringConfigFromValidator creates a scoring engine with a given validator.

func (ScoringConfig) CountViolations added in v0.5.2 

func (c ScoringConfig) CountViolations() int

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.