Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
name: Bug report
about: Report a reproducible problem in the Cloud Security Suite
title: "[Bug]: "
labels: bug
assignees: ""
---

## Summary

## Steps to reproduce

1.
2.
3.

## Expected behavior

## Actual behavior

## Environment

- OS:
- Python version:
- Terraform version:
- AWS region:

## Logs or screenshots

## Additional context
17 changes: 17 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
name: Feature request
about: Suggest a new check, detection, integration, or workflow
title: "[Feature]: "
labels: enhancement
assignees: ""
---

## Summary

## Problem this solves

## Proposed solution

## Alternatives considered

## Additional context
16 changes: 16 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
## Summary

## What changed

## Why

## Testing performed

## Screenshots (if applicable)

## Checklist

- [ ] Tests added or updated
- [ ] Documentation updated
- [ ] Terraform formatted with `terraform fmt -recursive`
- [ ] Local tests and linting pass
41 changes: 41 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: lint

on:
pull_request:

jobs:
lint:
runs-on: ubuntu-latest

steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: pip

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt

- name: Run Ruff
run: ruff check .

- name: Run mypy on shared modules
run: mypy shared/

- name: Run mypy on tools with AWS typing leniency
run: >
mypy tools/
--ignore-missing-imports
--allow-untyped-defs
--allow-incomplete-defs
--disable-error-code attr-defined
--disable-error-code no-any-return
--disable-error-code type-arg
--disable-error-code arg-type
--disable-error-code misc
34 changes: 34 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: security

on:
pull_request:
schedule:
- cron: "0 9 * * 1"

jobs:
security:
runs-on: ubuntu-latest

steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: pip

- name: Install scanners
run: |
python -m pip install --upgrade pip
pip install bandit pip-audit checkov

- name: Run Bandit
run: bandit -r shared tools -x "*/tests/*,*/sample_data/*"

- name: Run pip-audit
run: pip-audit -r requirements.txt

- name: Run Checkov
run: checkov -d infrastructure --quiet --soft-fail
41 changes: 41 additions & 0 deletions .github/workflows/terraform.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: terraform

on:
pull_request:
paths:
- "infrastructure/**"
- ".github/workflows/terraform.yml"

jobs:
terraform:
runs-on: ubuntu-latest

steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: "1.6.6"

- name: Check Terraform formatting
working-directory: infrastructure
run: terraform fmt -check -recursive

- name: Initialize Terraform without backend
working-directory: infrastructure
run: terraform init -backend=false

- name: Validate Terraform
working-directory: infrastructure
run: terraform validate

- name: Set up tflint
uses: terraform-linters/setup-tflint@v4

- name: Run tflint best-effort
working-directory: infrastructure
run: |
tflint --init
tflint --recursive || true
36 changes: 36 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: test

on:
pull_request:
push:
branches:
- main

jobs:
test:
runs-on: ubuntu-latest

steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: pip

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt

- name: Run tests with coverage
run: |
pytest --cov=shared --cov=tools --cov-report=term --cov-report=xml --cov-fail-under=80 -v

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
files: ./coverage.xml
fail_ci_if_error: false
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ dist/
build/
.pytest_cache/
.coverage
coverage.xml
htmlcov/
.mypy_cache/
.ruff_cache/
Expand Down
67 changes: 67 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Contributing

Thanks for improving the Cloud Security Suite. This project uses small, reviewable pull requests and CI checks for tests, linting, Terraform validation, and security scanning.

## Development Workflow

1. Fork the repository.
2. Create a branch from `main`.
3. Make focused changes with tests and documentation when behavior changes.
4. Open a pull request and wait for CI to pass before requesting review.

## Branch Names

Use short branch names with one of these prefixes:

- `feat/` for new features
- `fix/` for bug fixes
- `docs/` for documentation-only changes
- `ci/` for workflow and automation changes
- `chore/` for maintenance

## Commit Messages

Use Conventional Commits:

```text
feat(iam-auditor): add access key rotation check
fix(cloudtrail): handle gzipped sample logs
docs(infra): document remote state setup
ci: add terraform validation workflow
```

## Run Tests Locally

```bash
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
pytest --cov=shared --cov=tools --cov-report=term --cov-fail-under=80 -v
ruff check .
mypy shared/
mypy tools/ \
--ignore-missing-imports \
--allow-untyped-defs \
--allow-incomplete-defs \
--disable-error-code attr-defined \
--disable-error-code no-any-return \
--disable-error-code type-arg \
--disable-error-code arg-type \
--disable-error-code misc
```

## Terraform Validation

Package Lambda artifacts before validation because Terraform references the generated zip files:

```bash
cd infrastructure
./modules/iam_auditor/package.sh
./modules/guardduty_processor/package.sh
./modules/cloudtrail_analyzer/package.sh
terraform fmt -recursive
terraform init -backend=false
terraform validate
```

The real `terraform.tfvars` file is gitignored. Use `terraform.tfvars.example` as the starting point for local testing.
9 changes: 8 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,19 @@
# Cloud Security Suite

[![test](https://img.shields.io/github/actions/workflow/status/huslayer826/cloud-security-suite/test.yml?branch=main&label=tests)](https://github.com/huslayer826/cloud-security-suite/actions/workflows/test.yml)
[![lint](https://img.shields.io/github/actions/workflow/status/huslayer826/cloud-security-suite/lint.yml?branch=main&label=lint)](https://github.com/huslayer826/cloud-security-suite/actions/workflows/lint.yml)
[![coverage](https://img.shields.io/codecov/c/github/huslayer826/cloud-security-suite?label=coverage)](https://codecov.io/gh/huslayer826/cloud-security-suite)
![Python](https://img.shields.io/badge/python-3.11-blue)
![Terraform](https://img.shields.io/badge/terraform-%3E%3D1.6-844FBA)
[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)

## Project Pitch

A Python and Terraform suite for automated AWS security auditing, threat detection, and incident response.

## Badges

Placeholder for project badges.
CI badges track tests, linting, coverage, supported runtime versions, and license.

## Architecture Diagram

Expand Down
25 changes: 25 additions & 0 deletions infrastructure/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 8 additions & 8 deletions infrastructure/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,14 @@ terraform {
module "iam_auditor" {
source = "./modules/iam_auditor"

project_name = var.project_name
environment = var.environment
aws_region = var.aws_region
notification_email = var.notification_email
schedule_expression = var.schedule_expression
lambda_package_path = "${path.module}/modules/iam_auditor/iam_auditor_lambda.zip"
lambda_source_hash = try(filebase64sha256("${path.module}/modules/iam_auditor/iam_auditor_lambda.zip"), null)
permissions_boundary = var.permissions_boundary
project_name = var.project_name
environment = var.environment
aws_region = var.aws_region
notification_email = var.notification_email
schedule_expression = var.schedule_expression
lambda_package_path = "${path.module}/modules/iam_auditor/iam_auditor_lambda.zip"
lambda_source_hash = try(filebase64sha256("${path.module}/modules/iam_auditor/iam_auditor_lambda.zip"), null)
permissions_boundary = var.permissions_boundary
}

module "guardduty_processor" {
Expand Down
Loading
Loading