Skip to content

Commit 355aebd

Browse files
GeekMasherGeekMasher
authored
Merge pull request #190 from advanced-security/docs-coverage
feat: Update scripts and docs
2 parents c2f10db + c7d6c7a commit 355aebd

File tree

5 files changed

+93
-12
lines changed

5 files changed

+93
-12
lines changed

docs/coverage.md

+47
Original file line numberDiff line numberDiff line change
@@ -6,5 +6,52 @@ The `codeql-extractor-iac` covers a number of technologies today but is being co
66

77
[CSV Coverage reports](https://github.com/advanced-security/codeql-extractor-iac/actions/workflows/coverage.yml) are created every release and push into the main branch.
88

9+
<!-- coverage-start -->
10+
| Suite | Query ID | Severity |
11+
| ------------- | ---------------------------------------------------- | -------- |
12+
| code-scanning | tf/alicloud/storage-publicly-accessible | 10.0 |
13+
| code-scanning | tf/azure/database-unencrypted | 7.0 |
14+
| code-scanning | tf/azure/database-geo-backup-unset-or-disabled | 2.0 |
15+
| code-scanning | tf/azure/database-weak-encryption | 4.0 |
16+
| code-scanning | tf/azure/database-tls-disable | 10.0 |
17+
| code-scanning | tf/azure/security-center-disabled-notifications | 3.0 |
18+
| code-scanning | tf/azure/vault-weak-key | 8.0 |
19+
| code-scanning | tf/azure/storage-publicly-accessible | 10.0 |
20+
| code-scanning | tf/azure/storage-unencrypted | 6.0 |
21+
| code-scanning | tf/all/hardcoded-passwords | 8.0 |
22+
| code-scanning | tf/gcp/abac-enabled | 8.0 |
23+
| code-scanning | tf/gcp/cluster-pod-security-policy | 5.0 |
24+
| code-scanning | tf/gcp/cluster-control-plane-publicly-accessible | 5.0 |
25+
| code-scanning | tf/gcp/storage-publicly-accessible | 10.0 |
26+
| code-scanning | tf/aws/storage-publicly-accessible | 10.0 |
27+
| code-scanning | tf/aws/storage-versioning-disabled | 6.0 |
28+
| code-scanning | tf/aws/storage-unencrypted | 6.0 |
29+
| code-scanning | tf/aws/s3-public-access-disabled | 5.0 |
30+
| code-scanning | tf/aws/storage-logging-disabled | 8.0 |
31+
| code-scanning | tf/aws/elastic-search-disabled-logging | 6.0 |
32+
| code-scanning | tf/aws/rds-database-unencrytped | 8.0 |
33+
| code-scanning | tf/aws/eks-unencrypted-secrets | 8.0 |
34+
| code-scanning | tf/aws/eks-public-cluster | 9.0 |
35+
| code-scanning | hc/kubernetes/pod-run-as-root | 8.0 |
36+
| code-scanning | hc/kubernetes/privileged-pod | 9.0 |
37+
| code-scanning | openapi/web/http-allowed | 2.0 |
38+
| code-scanning | actions/github/pull-request-target | NA |
39+
| code-scanning | actions/github/workflow-permissions | NA |
40+
| code-scanning | actions/github/unpinned-tag | 9.3 |
41+
| code-scanning | containers/docker/latest-images | 2.0 |
42+
| code-scanning | bicep/azure/storage-publicly-accessible | 10.0 |
43+
| code-scanning | bicep/azure/storage-tls-disabled | 9.0 |
44+
| code-scanning | cf/aws/storage-publicly-accessible | 10.0 |
45+
| code-scanning | iac/ecs/assignpublicip | NA |
46+
| code-scanning | iac/ecs/non-priv | NA |
47+
| code-scanning | iac/ecs/container-insights | NA |
48+
| code-scanning | iac/ecs/log-configuration | NA |
49+
| code-scanning | iac/ecs/secrets | NA |
50+
| code-scanning | iac/ecs/assign-publicip-taskset | NA |
51+
| code-scanning | iac/ecs/read-only-root-filesystem | NA |
52+
| code-scanning | iac/ecs/pidmode | NA |
53+
54+
<!-- coverage-end -->
55+
956
Download the coverage report zip, extract the CSV file, and view the content.
1057
This will be continuously updated as new queries are added to the extractor.

docs/workflows.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ To use the CodeQL Extractor, Library, and Queries for Infrastructure as Code, yo
66

77
```yaml
88
- name: Initialize and Analyze IaC
9-
uses: advanced-security/codeql-extractor-iac@main
9+
uses: advanced-security/codeql-extractor-iac@v0.4.1
1010
```
1111
1212
### Uploading SARIF files to GitHub
@@ -16,7 +16,7 @@ This has to be done manually or using the `github/codeql-action/upload-sarif` ac
1616

1717
```yaml
1818
- name: Upload SARIF file
19-
uses: github/codeql-action/upload-sarif@v2
19+
uses: github/codeql-action/upload-sarif@v3
2020
with:
2121
sarif_file: codeql-iac.sarif
2222
```
@@ -50,10 +50,10 @@ jobs:
5050
5151
- name: Initialize and Analyze IaC
5252
id: codeql_iac
53-
uses: advanced-security/codeql-extractor-iac@main
53+
uses: advanced-security/codeql-extractor-iac@v0.4.1
5454
5555
- name: Upload SARIF file
56-
uses: github/codeql-action/upload-sarif@v2
56+
uses: github/codeql-action/upload-sarif@v3
5757
with:
5858
sarif_file: ${{ steps.codeql_iac.outputs.sarif }}
5959
```

scripts/README.md

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
# Scripts
2+
3+
## Coverage Script
4+
5+
**Generate coverage report for docs:**
6+
7+
```bash
8+
uv run ./scripts/create-coverage.py report --markdown -o ./docs/coverage.md
9+
```

scripts/create-coverage.py

+33-8
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,11 @@
11
#!/usr/bin/env python3
2+
# /// script
3+
# requires-python = ">=3.12"
4+
# dependencies = [
5+
# "ghastoolkit"
6+
# ]
7+
# ///
8+
29
import os
310
import csv
411
import json
@@ -35,20 +42,16 @@ def generateCsv(csvfile, rules, src, src_suite, display: bool = True):
3542

3643
def generateMarkdown(rules, suite: str = "code-scanning") -> str:
3744
markdown = """\
38-
# Code Scanning Coverage Report
39-
40-
This report shows the coverage of Code Scanning rules for the current repository.
41-
42-
| Suite | Query ID | Severity |
43-
| ------------- | ------------------------------------------ | -------- |
45+
| Suite | Query ID | Severity |
46+
| ------------- | ---------------------------------------------------- | -------- |
4447
"""
4548

4649
for rule in rules:
4750
id = rule.get("id")
4851
props = rule.get("properties", {})
4952
severity = props.get("security-severity", "NA")
5053

51-
markdown += f"| {suite} | {id:<42} | {severity:<8} |\n"
54+
markdown += f"| {suite} | {id:<52} | {severity:<8} |\n"
5255
return markdown
5356

5457
@dataclass
@@ -87,6 +90,7 @@ def arguments(self):
8790
parser.add_argument("--pull-request", help="Output to pull_request")
8891
parser.add_argument("--csv", action="store_true", help="Output as csv")
8992
parser.add_argument("--markdown", action="store_true", help="Output as markdown")
93+
parser.add_argument("-o", "--output", help="Output file")
9094

9195
parser.add_argument("--rules", default="./scripts/rules", help="Path to query rules folder")
9296

@@ -116,7 +120,28 @@ def runReport(self, arguments):
116120
generateCsv("coverage.csv", rules, src, src_suite, display=not arguments.markdown)
117121

118122
markdown = generateMarkdown(rules)
119-
print(markdown)
123+
124+
if arguments.output:
125+
if not os.path.exists(arguments.output):
126+
raise Exception(f"Markdown output file not found: {arguments.output}")
127+
with open(arguments.output, "r") as handle:
128+
content = handle.read()
129+
130+
start_marker = "<!-- coverage-start -->"
131+
end_marker = "<!-- coverage-end -->"
132+
start_index = content.find(start_marker)
133+
end_index = content.find(end_marker)
134+
if start_index == -1 or end_index == -1:
135+
raise Exception("Markers not found in markdown file")
136+
137+
# Replace the content between the markers
138+
new_content = content[:start_index + len(start_marker)] + "\n" + markdown + "\n" + content[end_index:]
139+
with open(arguments.output, "w") as handle:
140+
handle.write(new_content)
141+
142+
else:
143+
print("""# Code Scanning Coverage Report\n\nThis report shows the coverage of Code Scanning rules for the current repository.\n\n""")
144+
print(markdown)
120145

121146
def runRules(self, arguments):
122147
"""Run and generate the queries."""

scripts/install-extractor.sh

100755100644
File mode changed.

0 commit comments

Comments
 (0)