derrickburns · June 21, 2023 19:26
diff --git a/gistfile1.txt b/gistfile1.txt
 import sys
 import yaml
 import csv
 from collections import defaultdict

 def check_security_best_practices(deployment, stats):
    spec = deployment.get('spec', {})
    pod_spec = spec.get('template', {}).get('spec', {})
    containers = pod_spec.get('containers', [])
    
    pod_security_context = pod_spec.get('securityContext', {})

    security_issues = defaultdict(lambda: 'No')
    container_count = 0

    for container in containers:
        container_count += 1
        container_security_context = container.get('securityContext', {})

        # Combine pod-level and container-level securityContext
        security_context = {**pod_security_context, **container_security_context}

        if not security_context.get('runAsNonRoot', False):
            issue = "Container is configured to run as root"
            security_issues[issue] = 'Yes'
            stats[issue] += 1

        if not security_context.get('readOnlyRootFilesystem', False):
            issue = "Root filesystem is not read only"
            security_issues[issue] = 'Yes'
            stats[issue] += 1

        if security_context.get('allowPrivilegeEscalation', True):
            issue = "Privilege escalation is allowed"
            security_issues[issue] = 'Yes'
            stats[issue] += 1

        if 'capabilities' in security_context:
            if 'drop' in security_context['capabilities']:
                if 'ALL' not in security_context['capabilities']['drop']:
                    issue = "Not all dangerous Linux capabilities are dropped"
                    security_issues[issue] = 'Yes'
                    stats[issue] += 1
            else:
                issue = "Not all dangerous Linux capabilities are dropped"
                security_issues[issue] = 'Yes'
                stats[issue] += 1

    return security_issues, container_count

 stats = defaultdict(int)
 total_deployments = 0
 total_containers = 0
 issues = [
    "Container is configured to run as root",
    "Root filesystem is not read only",
    "Privilege escalation is allowed",
    "Not all dangerous Linux capabilities are dropped"
 ]

 # Read the YAML input from stdin
 input_yaml = sys.stdin.read()

 # Parse the input as YAML
 deployments_data = yaml.safe_load_all(input_yaml)

 # Initialize the CSV writer
 csv_writer = csv.writer(sys.stdout)

 # Write the header line
 header = ['product', 'component', 'Deployment', 'Namespace', 'Requires heightened security'] + issues
 csv_writer.writerow(header)

 # Process each Deployment
 for deployments in deployments_data:
    for deployment_data in deployments['items']:
        # Extract the name, namespace, product, and component of the Deployment
        metadata = deployment_data.get('metadata', {})
        name = metadata.get('name', '')
        namespace = metadata.get('namespace', '')
        labels = metadata.get('labels', {})
        product = labels.get('product', '')
        component = labels.get('component', '')

        # Check security best practices
        security_issues, container_count = check_security_best_practices(deployment_data, stats)

        # Write the Deployment details to CSV
        csv_row = [product, component, name, namespace, ''] + [security_issues[issue] for issue in issues]
        csv_writer.writerow(csv_row)

        total_deployments += 1
        total_containers += container_count

 print("Total Deployments: ", total_deployments)
 print("Total Containers: ", total_containers)

 for issue in issues:
    print("Total {} issues: {}".format(issue, stats[issue]))
    print("Percentage of Containers with {}: {:.2f}%".format(issue, (stats[issue] / total_containers * 100)))
	import sys
	import yaml
	import csv
	from collections import defaultdict

	def check_security_best_practices(deployment, stats):
	spec = deployment.get('spec', {})
	pod_spec = spec.get('template', {}).get('spec', {})
	containers = pod_spec.get('containers', [])

	pod_security_context = pod_spec.get('securityContext', {})

	security_issues = defaultdict(lambda: 'No')
	container_count = 0

	for container in containers:
	container_count += 1
	container_security_context = container.get('securityContext', {})

	# Combine pod-level and container-level securityContext
	security_context = {pod_security_context, container_security_context}

	if not security_context.get('runAsNonRoot', False):
	issue = "Container is configured to run as root"
	security_issues[issue] = 'Yes'
	stats[issue] += 1

	if not security_context.get('readOnlyRootFilesystem', False):
	issue = "Root filesystem is not read only"
	security_issues[issue] = 'Yes'
	stats[issue] += 1

	if security_context.get('allowPrivilegeEscalation', True):
	issue = "Privilege escalation is allowed"
	security_issues[issue] = 'Yes'
	stats[issue] += 1

	if 'capabilities' in security_context:
	if 'drop' in security_context['capabilities']:
	if 'ALL' not in security_context['capabilities']['drop']:
	issue = "Not all dangerous Linux capabilities are dropped"
	security_issues[issue] = 'Yes'
	stats[issue] += 1
	else:
	issue = "Not all dangerous Linux capabilities are dropped"
	security_issues[issue] = 'Yes'
	stats[issue] += 1

	return security_issues, container_count

	stats = defaultdict(int)
	total_deployments = 0
	total_containers = 0
	issues = [
	"Container is configured to run as root",
	"Root filesystem is not read only",
	"Privilege escalation is allowed",
	"Not all dangerous Linux capabilities are dropped"
	]

	# Read the YAML input from stdin
	input_yaml = sys.stdin.read()

	# Parse the input as YAML
	deployments_data = yaml.safe_load_all(input_yaml)

	# Initialize the CSV writer
	csv_writer = csv.writer(sys.stdout)

	# Write the header line
	header = ['product', 'component', 'Deployment', 'Namespace', 'Requires heightened security'] + issues
	csv_writer.writerow(header)

	# Process each Deployment
	for deployments in deployments_data:
	for deployment_data in deployments['items']:
	# Extract the name, namespace, product, and component of the Deployment
	metadata = deployment_data.get('metadata', {})
	name = metadata.get('name', '')
	namespace = metadata.get('namespace', '')
	labels = metadata.get('labels', {})
	product = labels.get('product', '')
	component = labels.get('component', '')

	# Check security best practices
	security_issues, container_count = check_security_best_practices(deployment_data, stats)

	# Write the Deployment details to CSV
	csv_row = [product, component, name, namespace, ''] + [security_issues[issue] for issue in issues]
	csv_writer.writerow(csv_row)

	total_deployments += 1
	total_containers += container_count

	print("Total Deployments: ", total_deployments)
	print("Total Containers: ", total_containers)

	for issue in issues:
	print("Total {} issues: {}".format(issue, stats[issue]))
	print("Percentage of Containers with {}: {:.2f}%".format(issue, (stats[issue] / total_containers * 100)))