Documentation
¶
Overview ¶
Package scorecard handles the generation of "scores" for GCP infrastructure It uses a combination of:
- Cloud Asset Inventory: https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/overview
- Config Validator: https://github.com/forseti-security/config-validator
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var Cmd = &cobra.Command{ Use: "scorecard", Short: "Print a scorecard of your GCP environment", Long: `Print a scorecard of your GCP environment, for resources and IAM policies in Cloud Asset Inventory (CAI) exports, and constraints and constraint templates from Config Validator policy library. Example: cft scorecard --policy-path <path-to>/policy-library \ --bucket <name-of-bucket-containing-cai-export> Or: cft scorecard --policy-path <path-to>/policy-library \ --dir-path <path-to-directory-containing-cai-export> As of now, CAI export file names need to be resource_inventory.json and/or iam_inventory.json `, Args: cobra.NoArgs, PreRunE: func(cmd *cobra.Command, args []string) error { if (flags.bucketName == "" && flags.dirPath == "") || (flags.bucketName != "" && flags.dirPath != "") { return fmt.Errorf("Either bucket or dir-path should be set") } return nil }, RunE: func(cmd *cobra.Command, args []string) error { cmd.Println("Generating CFT scorecard") var err error controlProjectID := viper.GetString("google_project") if controlProjectID == "" { controlProjectID = flags.targetProjectID Log.Info("No control project specified, using target project", "project", controlProjectID) } inventory, err := NewInventory(controlProjectID, flags.bucketName, flags.dirPath, TargetProject(flags.targetProjectID)) if err != nil { return err } config, err := NewScoringConfig(flags.policyPath) if err != nil { return err } err = inventory.Score(config, flags.outputPath, viper.GetString("output-format")) if err != nil { return err } return nil }, }
Cmd represents the base scorecard command
View Source
var Log = log.New()
Scorecard log15 handler
Functions ¶
This section is empty.
Types ¶
type InventoryConfig ¶
type InventoryConfig struct {
// contains filtered or unexported fields
}
InventoryConfig manages a CAI inventory
func NewInventory ¶
func NewInventory(projectID string, bucketName string, dirPath string, options ...Option) (*InventoryConfig, error)
NewInventory creates a new CAI inventory manager
func (*InventoryConfig) Export ¶
func (inventory *InventoryConfig) Export() error
Export creates a new inventory export
func (*InventoryConfig) Score ¶
func (inventory *InventoryConfig) Score(config *ScoringConfig, outputPath string, outputFormat string) error
Score creates a Scorecard for an inventory
type Option ¶
type Option func(*InventoryConfig)
Option for NewInventory
func ControlProject ¶
ControlProject sets the project for storing inventory data
func TargetProject ¶
TargetProject sets the project for storing inventory data
type RichViolation ¶
type RichViolation struct {
Category string // category of violation
Resource string
Message string
Metadata *_struct.Value `protobuf:"bytes,4,opt,name=metadata,proto3" json:"metadata,omitempty"`
}
RichViolation holds a violation with its category
func NewRichViolation ¶
func NewRichViolation(categoryName string, violation *validator.Violation) (*RichViolation, error)
NewRichViolation creates a new RichViolation
type ScoringConfig ¶
type ScoringConfig struct {
PolicyPath string // the directory path of a policy library to use
// contains filtered or unexported fields
}
ScoringConfig holds settings for generating a score
func NewScoringConfig ¶
func NewScoringConfig(policyPath string) (*ScoringConfig, error)
NewScoringConfig creates a scoring engine for the given policy library
Source Files
Click to show internal directories.
Click to hide internal directories.