Engine integration

.github/workflows/Collecter.yml

@@ -0,0 +1,41 @@
+name: Run Collector
+
+on:
+  push:
+    branches: [Compliance-Engine]
+
+jobs:
+  run-collector:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install deps
+        run: pip install google-api-python-client google-auth google-auth-httplib2 google-auth-oauthlib
+
+      - name: Run GCP Access Collector
+        env: 
+          GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
+        run: |
+          python3 engine/GCPAccess.py
+          mv iam_policy.json test-configs/iam_policy.json
+          mv networks.json test-configs/networks.json
+
+      - name: Commit and push IAM policy & networks config
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add test-configs/iam_policy.json
+          git add test-configs/networks.json
+          git diff --cached --quiet && echo "No changes to commit" || git commit -m "Update iam_policy.json & networks.json"
+          git push origin Compliance-Engine
+

.github/workflows/gryp.yml

@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.  For more information on the Anchore scan action usage
+# and parameters, see https://github.com/anchore/scan-action. For more
+# information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+name: Anchore Grype vulnerability scan
+
+on:
+  push:
+    branches: [Compliance-Engine]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [Compliance-Engine]
+  schedule:
+    - cron: '37 20 * * 4'
+
+permissions:
+  contents: read
+
+jobs:
+  Anchore-Build-Scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the code
+      uses: actions/checkout@v4
+
+    - name: Build the Docker image
+      run: docker build -t compliance-engine-workflows:latest -f docker/engine.Dockerfile .
+
+    - name: Run the Anchore Grype scan action
+      uses: anchore/scan-action@v3
+      id: scan
+
+      with:
+        image: docker:compliance-engine-workflows:latest
+        fail-build: true
+        severity-cutoff: critical
+
+    - name: Upload vulnerability report
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}

engine/README.md

@@ -1 +1 @@
-# AutoAudit Engine Team
+# AutoAudit

engine/docker/engine.Dockerfile

@@ -2,8 +2,8 @@ FROM python:3.11-slim
 
 WORKDIR /app
 
-COPY engine/engine/ ./engine/
-COPY engine/rules/ ./rules/
-COPY engine/test-configs/ ./test-configs/
+COPY engine/ ./engine/
+COPY rules/ ./rules/
+COPY test-configs/ ./test-configs/
 
 CMD ["python", "engine/main.py"]

engine/engine/.trigger

@@ -1 +1,2 @@
 abcdaas
+a

engine/engine/GCPAccess.py

@@ -0,0 +1,36 @@
+from google.oauth2 import service_account
+from googleapiclient.discovery import build
+from google.auth import default
+import json 
+import os
+
+service_account_info = json.loads(os.environ["GCP_CREDENTIALS"])
+creds = service_account.Credentials.from_service_account_info(
+    service_account_info,
+    scopes=["https://www.googleapis.com/auth/cloud-platform"],
+)
+
+crm_policy = build("cloudresourcemanager", "v3", credentials=creds)
+crm_compute = build("compute", "v1", credentials=creds)
+
+project_id = "coastal-stone-470308-a0"
+res_name = f"projects/{project_id}"
+
+policy = crm_policy.projects().getIamPolicy(
+    resource=res_name,
+    body={"options": {"requestedPolicyVersion": 3}}
+).execute()
+
+networks = []
+req = crm_compute.networks().list(project=project_id)
+while req is not None:
+    resp = req.execute()
+    networks.extend(resp.get("items", []))
+    req = crm_compute.networks().list_next(previous_request=req, previous_response=resp)
+
+with open("iam_policy.json", "w") as f:
+    json.dump(policy, f, indent=2)
+
+with open("networks.json", "w") as f:
+    json.dump(networks, f, indent=2)
+

engine/engine/Helpers.rego

@@ -0,0 +1,32 @@
+package AutoAudit_tester.engine.Helpers
+
+import future.keywords.in
+
+get(path) = v if {
+  parts := split(path, ".")
+  some i
+  pv := walk(input)[i]
+  p := pv[0]
+  v := pv[1]
+  p == parts
+}
+equals(path, expected) if {
+  get(path) == expected
+}
+
+in_whitelist(path, allowed) if {
+  val := get(path)
+  val in allowed
+}
+not_in_blacklist(path, blocked) if {
+  val := get(path)
+  not val in blocked
+}
+status(bool) = s if {
+  bool
+  s := "Compliant"
+}
+status(bool) = s if {
+  not bool
+  s := "NonCompliant"
+}

engine/engine/main.py

@@ -1,95 +1,67 @@
 import json
 import os
 
+def load_mock_config(path="test-configs/compliant.json"):
+    with open(path) as f:
+        return json.load(f)
+
 
-# Load a JSON config file (mock tenant settings)
-def load_config(path="test-configs/compliant.json"):
-    """Load the configuration JSON file. Returns an empty dict if file not found or invalid."""
-    try:
-        with open(path) as f:
-            return json.load(f)
-    except FileNotFoundError:
-        print(f"❌ Config file not found: {path}")
-        return {}
-    except json.JSONDecodeError:
-        print(f"❌ Invalid JSON in config file: {path}")
-        return {}
-
-
-# Load all JSON rules from the rules directory
 def load_rules(directory="rules"):
-    """Load all JSON rules from the given directory. Skips invalid files."""
     rules = []
-    if not os.path.exists(directory):
-        print(f"❌ Rules directory not found: {directory}")
-        return rules
-
     for file in os.listdir(directory):
         if file.endswith(".json"):
-            try:
-                with open(os.path.join(directory, file)) as f:
-                    rule = json.load(f)
-                    # Validate required keys
-                    if all(k in rule for k in ("id_level_2", "tags", 
-                                               "expected_value", "evaluation_path", 
-                                               "description")):
-                        rules.append(rule)
-                    else:
-                        print(f"⚠️ Skipping {file}: Missing required keys")
-            except json.JSONDecodeError:
-                print(f"⚠️ Invalid JSON in {file}")
+            with open(os.path.join(directory, file)) as f:
+                rule = json.load(f)
+                rules.append(rule)
     return rules
 
-
-# Helper to get nested value using dot notation (e.g. "azure_ad.mfa_status")
 def get_value_from_path(config, path):
-    """Extract a value from nested JSON using a dot-separated path."""
-    keys = path.split(".")
-    for key in keys:
-        if isinstance(config, dict):
-            config = config.get(key, {})
+    placeholder_value = config
+    for key in path.split("."):
+        if isinstance(placeholder_value, dict):
+            placeholder_value = placeholder_value.get(key, {})
         else:
             return None
-    return config if config != {} else None
-
+    return placeholder_value
+ 
 
-# Evaluate one rule against the config
 def evaluate_rule(rule, config):
-    """Compare the expected setting with the actual config value."""
     expected = rule.get("expected_value")
     value = get_value_from_path(config, rule.get("evaluation_path"))
 
     if value == expected:
         return True, "Pass"
     return False, f"{rule['tags']} = {value}, expected {expected}"
 
-
-# Main function to run all rules and show results
 def main():
-    config = load_config()  # Load tenant configuration
-    rules = load_rules()    # Load all CIS rules
-
-    if not config or not rules:
-        print("❌ No config or rules found. Exiting.")
-        return
+    config = load_mock_config() 
+    rules = load_rules()
 
     passed, failed = 0, 0
 
     for rule in rules:
         result, reason = evaluate_rule(rule, config)
         status = "PASS" if result else "FAIL"
-        print(f"[{status}] {rule['id_level_2']} - {rule['description']}")
+        print(f"[{status}] {rule['id_level_2']} - {rule['title']}")
+
         if not result:
-            print(f"  Reason: {reason}")
+            print("")
+            print("  --- Cause of Failure ---")
+            print(f"  Description : {rule['description']}")
+            print(f"  Reason      : {reason}")
+            print(f"  Remediation : {rule['remediation']}")
+            print("")
+            print("  --- Risk Assessment ---")
+            print(f"  Risk Level  : {rule['risk']}")
+            print(f"  Impact      : {rule['impact']}")
+            print(f"  Likelihood  : {rule['likelihood']}")
+            print(f"  Overall     : {rule['risk_level']}")
+        print("-------------------------------------------------------------------")
+
         passed += result
         failed += not result
 
-
-    # Summary output
-    print("\n📊 Summary:")
-    print(f"  Total Rules: {len(rules)}")
-    print(f"  ✅ Passeds: {passed}")
-    print(f"  ❌ Failed: {failed}")
-
+    print(f"\nSummary: {passed} rules passed, {failed} rules failed")
+
 if __name__ == "__main__":
-    main()
+    main()

engine/iam_policy.json

@@ -0,0 +1,26 @@
+{
+  "version": 1,
+  "etag": "BwY9aQGbYhE=",
+  "bindings": [
+    {
+      "role": "roles/compute.serviceAgent",
+      "members": [
+        "serviceAccount:service-162922847862@compute-system.iam.gserviceaccount.com"
+      ]
+    },
+    {
+      "role": "roles/editor",
+      "members": [
+        "serviceAccount:162922847862@cloudservices.gserviceaccount.com",
+        "serviceAccount:sa-noperms@coastal-stone-470308-a0.iam.gserviceaccount.com",
+        "serviceAccount:162922847862-compute@developer.gserviceaccount.com"
+      ]
+    },
+    {
+      "role": "roles/owner",
+      "members": [
+        "user:AdityaHindocha3@gmail.com"
+      ]
+    }
+  ]
+}

engine/rules/1.1.1.json

@@ -12,6 +12,9 @@
   "evaluation_path": "user.OnPremisesSyncEnabled",
   "remediation": "Migrate hybrid admin accounts to new cloud-only accounts and update roles accordingly.",
   "risk": "High",
+  "impact": "Moderate",
+  "likelihood": "2",
+  "risk_level": "Low",
   "tags": [
     "MFA",
     "Identity",