v0.3.0: industry-standard scanner — CIS/MITRE/CWE, SARIF, offline manifests, CI#3
Closed
SnailSploit wants to merge 4 commits into
Closed
v0.3.0: industry-standard scanner — CIS/MITRE/CWE, SARIF, offline manifests, CI#3SnailSploit wants to merge 4 commits into
SnailSploit wants to merge 4 commits into
Conversation
KubeRoast 0.3.0 brings the tool up to industry-standard expectations
for a Kubernetes security scanner used in CI/CD pipelines.
Compliance enrichment
- Map every finding ID to CIS Kubernetes Benchmark v1.9 controls,
MITRE ATT&CK for Containers techniques, and CWE weakness IDs.
- New `--no-compliance` flag to opt out.
- 30+ finding IDs covered in kuberoast/utils/compliance.py.
Output formats
- SARIF v2.1.0 (`--report sarif`) for GitHub code scanning, Azure
DevOps, and any consumer of the OASIS SARIF spec. Severity mapped
to SARIF level + numeric security-severity score.
- JUnit XML (`--report junit`) for Jenkins / GitLab / CircleCI test
dashboards; critical → <error>, high → <failure>.
- CSV (`--report csv`) for analytics and spreadsheets.
- HTML reporter rebuilt with severity stat cards and CIS/MITRE/CWE
chips per finding.
Offline manifest scanning
- `--manifests <dir|file>` scans YAML/JSON manifests with no live
cluster required. Supports Pod, Deployment, StatefulSet, DaemonSet,
Job, CronJob, ReplicaSet, ReplicationController, RBAC, Secret,
Service, Ingress, Namespace, and CRD kinds.
- ManifestObject wraps raw dicts with snake_case attribute access so
existing scanners work unchanged against parsed manifests.
DevOps / packaging
- Multi-stage non-root Dockerfile.
- GitHub Actions: matrix tests on Python 3.9-3.12, ruff lint, build,
Docker image build; example security-scan workflow that uploads
SARIF to GitHub code scanning.
- Dependabot config for pip / Actions / Docker.
- Makefile with install/dev/test/coverage/lint/format/build/docker.
- Issue templates, PR template, CONTRIBUTING.md, SECURITY.md,
CHANGELOG.md.
- Example insecure manifests under examples/ for demos and CI.
CLI improvements
- `--version`, `-q/--quiet`, ISO-8601 structured log timestamps.
- Cleaner argument grouping; unified file-output validation across
html/sarif/junit/csv.
Tests
- 40 new tests across compliance, SARIF, JUnit/CSV, manifest
loading/scanning, and end-to-end CLI flows.
- Total: 78 tests passing, 67% coverage.
- ruff lint configured and clean.
Backwards-compatible at the CLI layer: existing
`--report {json,text,html}` flows continue to work unchanged.
https://claude.ai/code/session_016WRffVd3LCjiSdC6qb7Yyk
… schema
Expands test coverage from 78 to 146 tests across six new categories that
mirror what production-grade open-source security tooling typically ships:
End-to-end golden tests (tests/test_e2e_examples.py)
- Run the CLI against the bundled examples/ manifests and assert the
expected finding IDs, compliance enrichment coverage, and exit codes.
- Parametrised over every output format to lock in non-empty output.
Property-based fuzzing (tests/test_property_manifests.py)
- Hypothesis strategies generate random valid Pod / Service / Ingress /
ClusterRole manifests; scanners must never crash and Findings must
always carry valid IDs / severities / categories.
- Negative cases: garbage YAML, empty files, deeply-nested pod specs.
Scanner contract tests (tests/test_scanner_contracts.py)
- Run every scanner against a comprehensive bad-fixture, then enforce a
shared shape contract: ID format, severity ∈ {info..critical},
category ∈ allowed set, non-empty remediation, JSON-serialisable.
- Validate MITRE / CIS / CWE reference formats with regex.
- Internal consistency check on COMPLIANCE_MAP entries.
Severity matrix (tests/test_severity_matrix.py)
- 20 parametrised cases for --fail-on × --min-severity interactions,
plus the --no-compliance opt-out and clean-pod fast paths.
SARIF schema validation (tests/test_sarif_schema.py)
- Bundle the official OASIS SARIF v2.1.0 JSON schema and validate
emitted SARIF (empty / single / multi finding) with jsonschema.
- Tool-driver and result-shape sanity assertions.
Performance regression (tests/test_performance.py)
- Generous wall-clock thresholds across pods (100/1000), 500-role
RBAC scans, attack-path analysis with 200 principals, and emit
scaling for JSON / SARIF / CSV.
- Marked with `pytest.mark.performance`; deselect with
`pytest -m "not performance"`. CI runs them as a non-blocking job.
Tooling
- Add hypothesis + jsonschema to dev deps.
- Register `performance` pytest marker.
- New Makefile targets: `test-fast`, `test-perf`.
- CI splits matrix tests from perf tests; perf job uses
continue-on-error so slow runners don't fail the matrix.
Final tally: 146 passing (137 fast + 9 perf) in ~3s; ruff clean.
https://claude.ai/code/session_016WRffVd3LCjiSdC6qb7Yyk
…resh Visual polish across the entire surface area: terminal, web report, and docs. No behavior changes for machine-readable outputs (JSON / SARIF / JUnit / CSV remain byte-identical). CLI banner & colors - New kuberoast/utils/style.py with NO_COLOR / KUBEROAST_NO_COLOR / FORCE_COLOR-aware ANSI helpers and a 256-color severity palette. - ASCII banner shown on interactive --report text/html runs; suppressed by --quiet, --no-banner, when stderr is not a TTY, or when piping. - New --no-banner flag. Text reporter - Color-coded severity headers, glyphs (✖ ▲ ● ○ ·), aligned label columns, green-tinted remediation, cyan compliance refs. - Cleaner "Found N issues — 3 critical · 4 high · 5 medium" summary. - Auto-disables colors when piping to a file or NO_COLOR is set. HTML reporter - New gradient-conic logo mark, generation timestamp, severity- proportional progress bar, accent-colored stat cards. - Highlighted remediation block, themed compliance chips, monospace resource cells, mobile-responsive layout. README - Big ASCII banner + "What it looks like" terminal demo block. - Larger badges, organized into primary (version/tests/license) and capability rows (SARIF / CIS / MITRE / CWE). Tests - 13 new style tests (banner, NO_COLOR, FORCE_COLOR, KUBEROAST_NO_COLOR, TTY detection, severity badges). - Updated 1 reporting test for the new "issues" summary phrasing. - Total: 159 passing, ruff clean. https://claude.ai/code/session_016WRffVd3LCjiSdC6qb7Yyk
docs: add canonical-doc backlink to snailsploit.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closing as superseded by PR #5 (
v0.4.0: offensive refocus).This PR pursued the compliance-scanner direction — SARIF / CIS Benchmark / MITRE-mappings / JUnit / CSV / GitHub code-scanning integration. That direction was explicitly rejected in favour of offensive depth: concrete attacker primitives, multi-hop escalation chains, cloud-account pivots, version→CVE correlation, and active control-plane / kubelet probes. Compliance lint is now hidden by default in PR #5 behind
--include-hygiene.Nothing from this PR is being merged. The work that overlaps (offline manifest scanning, CI plumbing) was reimplemented in PR #5 in the new style.
Branch
claude/industry-standard-tool-rfr9Cwill be deleted after this close.