Skip to content

Commit

Permalink
Merge branch 'master' into add-tag-for-actionability
Browse files Browse the repository at this point in the history
  • Loading branch information
jsoucheiron authored Nov 13, 2024
2 parents 4fc2ffe + 85dbf6c commit a6bf686
Show file tree
Hide file tree
Showing 54 changed files with 1,539 additions and 436 deletions.
4 changes: 0 additions & 4 deletions .flake8

This file was deleted.

17 changes: 17 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
- package-ecosystem: "pip" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "monthly"
open-pull-requests-limit: 1
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 1
7 changes: 7 additions & 0 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Description

<!-- Please include a summary of the change, how this updates the current logic and which features are added or removed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->

## Checklist

- [ ] I have updated the CHANGELOG.md file accordingly
19 changes: 19 additions & 0 deletions .github/release-drafter.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name-template: 'v$RESOLVED_VERSION'
tag-template: 'v$RESOLVED_VERSION'
change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
version-resolver:
major:
labels:
- 'major'
minor:
labels:
- 'minor'
patch:
labels:
- 'patch'
default: patch
template: |
## Changes
$CHANGES
6 changes: 3 additions & 3 deletions .github/workflows/lint-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@ jobs:
strategy:
fail-fast: false
matrix:
python-version: ['3.7', '3.8', '3.9', '3.10']
python-version: ['3.9', '3.10', '3.11', '3.12', '3.13']

name: Python ${{ matrix.python-version }}

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4

- name: Setup python
uses: actions/setup-python@v2
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}

Expand Down
44 changes: 21 additions & 23 deletions .github/workflows/pypi-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,35 +5,33 @@ on:
types: [published]

jobs:
build:
pypi-publish:
name: Upload release to PyPI
runs-on: ubuntu-latest

environment:
name: pypi
url: https://pypi.org/p/cfripper
permissions:
id-token: write
steps:
- uses: actions/checkout@v2
- name: Checkout
uses: actions/checkout@v4

- name: Setup python
uses: actions/setup-python@v2
uses: actions/setup-python@v5
with:
python-version: '3.7'

- run: pip install setuptools wheel
python-version: '3.9'

- run: make install
- name: Install dependencies
run: |
python -m pip install -U pip setuptools
python -m pip install -U twine build setuptools-scm
- name: Build a binary wheel
run: python setup.py sdist bdist_wheel

# This doesn't add any value. It mostly passes, and if a release fails in the non-test PyPi
# this step then needs to be skipped.
# Leaving it commented until we find a cause to keep it that adds value to the project.
# - name: Publish distribution 📦 to Test PyPI
# uses: pypa/gh-action-pypi-publish@master
# with:
# password: ${{ secrets.test_pypi_password }}
# repository_url: https://test.pypi.org/legacy/
- name: Build package
run: |
python -m setuptools_scm
python -m build
twine check --strict dist/*
- name: Publish distribution 📦 to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.PYPI_TOKEN }}
uses: pypa/gh-action-pypi-publish@release/v1
32 changes: 32 additions & 0 deletions .github/workflows/release-drafter.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Release Drafter

on:
push:
# branches to consider in the event; optional, defaults to all
branches:
- master
# pull_request event is required only for autolabeler
pull_request:
# Only following types are handled by the action, but one can default to all as well
types: [opened, reopened, synchronize]
# pull_request_target event is required for autolabeler to support PRs from forks
pull_request_target:
types: [opened, reopened, synchronize]

permissions:
contents: read

jobs:
update_release_draft:
permissions:
# write permission is required to create a github release
contents: write
# write permission is required for autolabeler
# otherwise, read permission is required at least
pull-requests: write
runs-on: ubuntu-latest
steps:
# Drafts your next Release notes as Pull Requests are merged into "master"
- uses: release-drafter/release-drafter@v6
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4 changes: 2 additions & 2 deletions .github/workflows/test-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ jobs:
name: Test Docs

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4

- name: Setup python
uses: actions/setup-python@v2
uses: actions/setup-python@v5
with:
python-version: 3.9

Expand Down
6 changes: 5 additions & 1 deletion .readthedocs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,12 @@ mkdocs:

formats: all

build:
os: ubuntu-22.04
tools:
python: "3.9"

python:
version: 3.7
install:
- method: pip
path: .
Expand Down
57 changes: 57 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,63 @@
# Changelog
All notable changes to this project will be documented in this file.

## [1.17.0]
### Additions
- Add support for python 3.13
### Removals
- Remove support for python 3.8

## [1.16.0]
### Additions
- Added 2 new filter functions: `set` and `sorted`

## [1.15.7]
### Updates
- Bumped pycfmodel to use pydantic v2
### Other updates
- Add PR template @w0rmr1d3r (#279)

## [1.15.6]
### Fixes
- Fix logo in pypi @ignaciobolonio (#274)
### Updates
- Update .readthedocs.yaml @jsoucheiron (#275)
### Bumps
- Bump actions/setup-python from 4 to 5 (#270)
- Bump cryptography from 42.0.3 to 42.0.4 (#272)

## [1.15.5]
### Changes
- Migrate to pyproject.toml @jsoucheiron (#269)
- Add dependabot config @w0rmr1d3r (#257)

## [1.15.4]
### Fixes
- Fix `KMSKeyWildcardPrincipalRule` to work without a KMS policy
- Fix release drafter template to show PR titles
### Updates
- Bumped minimum `pycfmodel` version to `0.22.0`

## [1.15.3]
### Changes
- Update invalid_role_inline_policy_fn_if.json
- Improve logging for the exception when applying rule filters
- Add release drafter

## [1.15.2]
### Fixes
- Fixes https://github.com/Skyscanner/cfripper/issues/260

## [1.15.1]
### Fixes
- Fix docs generation

## [1.15.0]
### Additions
- New rules: `PublicELBCheckerRule`, `StackNameMatchesRegexRule`, and `StorageEncryptedRule`
- New regex: `REGEX_ALPHANUMERICAL_OR_HYPHEN` to check if stack name only consists of alphanumerical characters and hyphens.
- Config has a few extra methods that should make handling Filters easier

## [1.14.0]
### Additions
- `Config` includes a metrics logger, and it is called to register when a filter is used
Expand Down
61 changes: 31 additions & 30 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,49 +1,50 @@
SOURCE_DIRS = cfripper tests docs
SOURCE_FILES = setup.py
SOURCE_ALL = $(SOURCE_DIRS) $(SOURCE_FILES)
SOURCES = cfripper tests docs

PIP_COMMAND = pip
install:
pip install -r requirements.txt
$(PIP_COMMAND) install -r requirements.txt

install-dev: install
pip install -e ".[dev]"
install-dev:
$(PIP_COMMAND) install -r requirements.txt -r requirements-dev.txt .

install-docs:
pip install -e ".[dev,docs]"
$(PIP_COMMAND) install -r requirements.txt -r requirements-docs.txt .

format:
isort --recursive $(SOURCE_ALL)
black $(SOURCE_ALL)
ruff format $(SOURCES)

lint: isort-lint black-lint flake8-lint

isort-lint:
isort --check-only --recursive $(SOURCE_ALL)

black-lint:
black --check $(SOURCE_ALL)

flake8-lint:
flake8 $(SOURCE_ALL)
lint:
ruff check $(SOURCES)

unit:
pytest -svvv tests

coverage:
coverage run --source=cfripper --branch -m pytest tests/ --junitxml=build/test.xml -v
coverage report
coverage xml -i -o build/coverage.xml
coverage html
pytest --cov cfripper

test: lint unit

test-docs:
mkdocs build --strict

freeze:
CUSTOM_COMPILE_COMMAND="make freeze" pip-compile --no-emit-index-url --no-annotate --output-file requirements.txt setup.py

freeze-upgrade:
CUSTOM_COMPILE_COMMAND="make freeze" pip-compile --no-emit-index-url --upgrade --no-annotate --output-file requirements.txt setup.py

.PHONY: install install-dev install-docs format lint isort-lint black-lint flake8-lint unit coverage test freeze freeze-upgrade
FREEZE_COMMAND = CUSTOM_COMPILE_COMMAND="make freeze" uv pip compile
FREEZE_OPTIONS = --no-emit-index-url --no-annotate -v
freeze-base: pyproject.toml
$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --output-file requirements.txt
freeze-dev: pyproject.toml
$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --extra dev --output-file requirements-dev.txt
freeze-docs: pyproject.toml
$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --extra dev --extra docs --output-file requirements-docs.txt
freeze: freeze-base freeze-dev freeze-docs

freeze-upgrade-base:
$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --upgrade --output-file requirements.txt
freeze-upgrade-dev:
$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --upgrade --extra dev --output-file requirements-dev.txt
freeze-upgrade-docs:
$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --upgrade --extra docs --extra dev --output-file requirements-docs.txt
freeze-upgrade: freeze-upgrade-base freeze-upgrade-dev freeze-upgrade-docs


.PHONY: install install-dev install-docs format lint unit coverage test freeze freeze-upgrade\
freeze-base freeze-dev freeze-docs freeze-upgrade-base freeze-upgrade-dev freeze-upgrade-docs
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
<p align="center">
<img src="docs/img/logo.png" width="200">
<img src="https://raw.githubusercontent.com/Skyscanner/cfripper/master/docs/img/logo.png" width="200" alt="cfripper logo">
</p>

# CFRipper

![Build Status](https://github.com/Skyscanner/cfripper/workflows/PyPI%20release/badge.svg)
[![PyPI version](https://badge.fury.io/py/cfripper.svg)](https://badge.fury.io/py/cfripper)
[![Total alerts](https://img.shields.io/lgtm/alerts/g/Skyscanner/cfripper.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/Skyscanner/cfripper/alerts/)
[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/Skyscanner/cfripper.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/Skyscanner/cfripper/context:python)
[![homebrew version](https://img.shields.io/homebrew/v/cfripper)](https://formulae.brew.sh/formula/cfripper)
![License](https://img.shields.io/github/license/skyscanner/cfripper)

CFRipper is a Library and CLI security analyzer for AWS CloudFormation templates. You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.

Expand Down
3 changes: 0 additions & 3 deletions cfripper/__version__.py

This file was deleted.

4 changes: 2 additions & 2 deletions cfripper/cli.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import logging
import re
import sys
from importlib.metadata import version
from io import TextIOWrapper
from pathlib import Path
from typing import Dict, List, Optional, Tuple
Expand All @@ -9,7 +10,6 @@
import pycfmodel
from pycfmodel.model.cf_model import CFModel

from cfripper.__version__ import __version__
from cfripper.config.config import Config
from cfripper.config.pluggy.utils import get_all_rules
from cfripper.exceptions import FileEmptyException
Expand Down Expand Up @@ -145,7 +145,7 @@ def validate_aws_principals(ctx: click.Context, param: str, value: str) -> Optio


@click.command()
@click.version_option(prog_name="cfripper", version=__version__)
@click.version_option(prog_name="cfripper", version=version("cfripper"))
@click.argument("templates", type=click.File("r"), nargs=-1)
@click.option(
"--resolve/--no-resolve",
Expand Down
Loading

0 comments on commit a6bf686

Please sign in to comment.