Policy Check enhancements (#23)

* Enhancement: Policy check now returns detailed reasons why a policy check failed * Enhancement: Generate HTML compliance report from mustache-based template * New Policy: Code Flaws filter for critical * New Policy: Guardian filter for CVE age, allow exceptions to Guardian policy * New Policy: Restrict presence of user accounts * Bug fix: Only one exception was valid for private key, certificate check * Bug fix: Binary hardening did not process includes properly * Code cleanup
ReFirmLabs · Jun 15, 2020 · b72a553 · b72a553
1 parent 23d4b9b
commit b72a553
Show file tree

Hide file tree

Showing 8 changed files with 256 additions and 141 deletions.
diff --git a/.gitignore b/.gitignore
@@ -102,3 +102,6 @@ venv.bak/
 
 # mypy
 .mypy_cache/
+
+# vscode
+.vscode/
diff --git a/centrifuge_cli/main.py b/centrifuge_cli/main.py
@@ -393,9 +393,10 @@ def binary_hardening(cli):
 
 @report.command(name='check-policy')
 @click.option('--policy-yaml', metavar='FILE', type=click.Path(), help='Centrifuge policy yaml file.', required=True)
+@click.option('--report-template', metavar='FILE', type=click.Path(), help='Policy report template file.', required=False)
 @click.pass_context
 @pass_cli
-def check_policy(cli, ctx, policy_yaml):
+def check_policy(cli, ctx, policy_yaml, report_template):
     outfmt = cli.outfmt
     cli.outfmt = 'json'
     cli.echo_enabled = False
@@ -406,19 +407,24 @@ def check_policy(cli, ctx, policy_yaml):
     guardian_json = json.loads(ctx.invoke(guardian))
     code_summary_json = json.loads(ctx.invoke(code_summary))
     passhash_json = json.loads(ctx.invoke(passhash))
+    info_json = json.loads(ctx.invoke(info))
 
     policy_obj = CentrifugePolicyCheck(certificates_json,
                                        private_keys_json,
                                        binary_hardening_json,
                                        guardian_json,
                                        code_summary_json,
-                                       passhash_json)
+                                       passhash_json,
+                                       info_json)
 
     policy_obj.check_rules(policy_yaml)
 
-    result = policy_obj.generate_csv()
-    if outfmt == 'json':
+    if report_template:
+        result = policy_obj.generate_report(report_template)
+    elif outfmt == 'json':
         result = policy_obj.generate_json()
+    else:
+        result = policy_obj.generate_csv()
 
     cli.echo_enabled = True
     cli.outfmt = outfmt