feat: first working version

Signed-off-by: r3drun3 <[email protected]>

.github/workflows/ci.yaml

@@ -0,0 +1,41 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - '*'
+    paths-ignore:
+      - 'README.md'
+      - 'requirements.txt'
+      - 'credentials/**'
+      - 'docs/**'
+      - '.gitignore'
+      - 'LICENSE'
+    tags-ignore:
+      - '*'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v2
+
+    - name: Set up Python
+      uses: actions/setup-python@v3
+      with:
+        python-version: 3.11
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install flake8
+
+    - name: Lint Python files with flake8
+      run: |
+        flake8 --ignore=E501,E23,W503 .
+
+    - name: Lint Dockerfile
+      run: |
+        docker run --rm -i hadolint/hadolint < Dockerfile

.github/workflows/release.yaml

@@ -0,0 +1,51 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.1'
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Extract Version
+        id: tagger
+        uses: battila7/get-version-action@v2
+      - name: Print Version
+        run: |
+          echo ${{steps.tagger.outputs.version}}
+          echo ${{steps.tagger.outputs.version-without-v}}
+      - name: Create Github release
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ steps.tagger.outputs.version }}
+      - name: Login to Github Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        id: build-and-push
+        with:
+          context: .
+          platforms: linux/amd64 #,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/cloudit:${{ steps.tagger.outputs.version-without-v }}
+      - name: Sign image with a key
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY "ghcr.io/cloudit:${{ steps.tagger.outputs.version-without-v }}@${DIGEST}"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}

.gitignore

@@ -0,0 +1,21 @@
+# local development
+.DS_Store
+temp.txt
+
+# prowler output
+output
+
+# aws credentials
+aws-credentials.json
+
+# azure credentials
+azure-credentials.json
+
+# gcp credentials
+gcp-credentials.json
+*-gcp-sa.json
+
+
+# cosign
+cosign.key
+cosign.pub

Dockerfile

@@ -0,0 +1,31 @@
+# Use the official Alpine Python runtime as the base image
+FROM python:3.11-alpine3.18
+
+# Set the maintainer label
+LABEL maintainer="r3drun3"
+
+# Set the working directory in the container
+WORKDIR /app
+
+# Copy app files into the container at /app
+COPY cloudit.py requirements.txt /app/
+
+RUN apk upgrade
+
+# Upgrade pip to the latest version and install any needed packages specified in requirements.txt
+RUN pip install --no-cache-dir --upgrade pip==23.3.1 && pip install --no-cache-dir -r requirements.txt
+
+
+# Run the script when the container launches
+CMD ["python", "./cloudit.py"]
+
+################################# EXAMPLES #################################
+# example command to build the image locally:
+# docker build -t my-registry/cspm/cloudit:0.0.12 .
+
+# example command to pull the image from registry:
+# docker pull my-registry/cspm/cloudit:0.0.12
+
+# example command to run the container:
+# docker run -it --rm -v /Users/rago/Desktop/personal/GITHUB/cloudit/cloudit/:/app/ -v /Users/rago/Desktop/personal/GITHUB/cloudit/cloudit/credentials:/app/credentials my-registry/cspm/cloudit:0.0.12
+#############################################################################

LICENSE

@@ -1,4 +1,4 @@
-                                 Apache License
+                                Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
 
@@ -174,28 +174,3 @@
       of your accepting any such warranty or additional liability.
 
    END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

README.md

@@ -1,2 +1,124 @@
-# cloudit
-Cloud Security Posture Management Tool ☁️ 🔬
+# Cloudit
+[![CI](https://github.com/rooted-io/cloudit/actions/workflows/ci.yaml/badge.svg)](https://github.com/rooted-io/cloudit/actions/workflows/ci.yaml)  [![Release](https://github.com/rooted-io/cloudit/actions/workflows/release.yaml/badge.svg)](https://github.com/rooted-io/cloudit/actions/workflows/release.yaml)  [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+
+
+
+Automatic Cloud Posture Audit Tool ☁️ 🔬  
+
+<img src="docs/images/tool-logo.png" alt="Cloudit Logo" width="250" height="190"> 
+
+## Abstract
+
+
+`Cloudit` is a script for automatic, multicloud and  multi-tenant *CSPM* (Cloud Security Posture Management).  
+The idea is to wrap some usefull open source cloud posture audit tools like [prowler](https://github.com/prowler-cloud/prowler)  behind an higher level abstraction in order to execute the tools in parallel on multiple customer's public cloud accounts.  
+
+> **Warning**
+> This tools makes API calls to cloud provider endpoints and services: these calls may be billed by the provider.  
+
+As of right now this only work with `aws`, `azure` and `gcp` and uses json files to store customer credentials (inside the `credentials` folder).  
+The *aws* credentials file is called `aws-credentials.json` and it is structured like this:  
+
+```json
+{
+    "customers": [
+        {
+            "customer_name": "foo",
+            "REGIONS": ["region-1", "region-2"],
+            "SERVICES": ["aws_service_1", "aws_service_2"],
+            "AWS_ACCESS_KEY_ID": "foo-access-key-here",
+            "AWS_SECRET_ACCESS_KEY": "foo-secret-access-key-here",
+        },
+        {
+            "customer_name": "donald",
+            "REGIONS": ["region-1", "region-2", "region-3"],
+            "SERVICES": ["aws_service_1", "aws_service_2", "aws_service_3"],
+            "AWS_ACCESS_KEY_ID": "donald-access-key-here",
+            "AWS_SECRET_ACCESS_KEY":"donald-secret-access-key-here"
+        }
+
+    ]
+}
+```   
+
+The *azure* credentials file is called `azure-credentials.json` and it is structured like this:  
+
+```json
+{
+    "customers": [
+        {
+            "customer_name": "foo",
+            "SERVICES": ["defender", "iam"],
+            "AZURE_CLIENT_ID": "foo-client-id-here",
+            "AZURE_CLIENT_SECRET": "foo-client-secret-here",
+            "AZURE_TENANT_ID": "foo-tenant-id-here",
+            "AZURE_SUBSCRIPTION_ID":
+            ["foo-subscription-id-1-here"]
+        },
+        {
+            "customer_name": "donald",
+            "SERVICES": ["defender", "iam"],
+            "AZURE_CLIENT_ID": "donald-client-id-here",
+            "AZURE_CLIENT_SECRET": "donald-client-secret-here",
+            "AZURE_TENANT_ID": "donald-tenant-id-here",
+            "AZURE_SUBSCRIPTION_ID":
+            ["donald-subscription-id-1-here", "donald-subscription-id-2-here"]
+        }
+
+    ]
+}
+```   
+
+
+The *gcp* credentials file is called `gcp-credentials.json` and it is structured like this:  
+
+```json
+{
+    "customers": [
+        {
+            "customer_name": "customer-name-here",
+            "SERVICES": ["iam", "dns"],
+            "GOOGLE_APPLICATION_CREDENTIALS": "path-to-gcp-sa-json-file-here (eg. credentials/gcp/customer1-gcp-sa.json)"
+        },
+        {
+            "customer_name": "customer-name-here",
+            "SERVICES": ["iam", "dns"],
+            "GOOGLE_APPLICATION_CREDENTIALS": "path-to-gcp-sa-json-file-here (eg. credentials/gcp/customer2-gcp-sa.json)"
+        }
+
+    ]
+}
+```   
+
+> **Note**  
+> To inspect available services with prowler run `prowler {provider} --list-services`  
+
+This also want a path to the json file containing all the data for google service account authentication.  
+You can put the files for every sa of every customer inside the `credentials/gcp` folder, and then reference them  
+via the `GOOGLE_APPLICATION_CREDENTIALS` property of the `gcp-credentials.json` file.  
+
+In the future, when the tool will become more mature, it will be almost mandatory to use a proper database engine.  
+
+> **Note**
+> Before launching the tool remember to install dependencies with `pip3 install -r requirements.txt`  
+
+To launch the tool simply configure the various cloud provider credentials files and then use the following command:  
+```console
+python3 cloudit.py
+```  
+
+When a new git tag is pushed, for example:  
+```console
+ git tag -a v0.0.8 -m "0.0.8" && git push origin v0.0.8
+```  
+A [github action](https://github.com/rooted-io/cloudit/blob/main/.github/workflows/release.yaml) is triggered to produce a github release and a new OCI image that is pushed [here](https://packages).  
+
+
+
+
+At the current time the tool produce for every customer-provider tuple a report in `csv`, `json` and `html` formats (3 files for every report).  
+We are most interested in the html one, here is an example:  
+<img src="docs/images/report-html.png" alt="Report" style="max-width:100%;">
+
+
+