Skip to content

schmug/scubascore

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
templates
templates
 
 
.auto-claude-security.json
.auto-claude-security.json
 
 
.auto-claude-status
.auto-claude-status
 
 
.claude_settings.json
.claude_settings.json
 
 
.dockerignore
.dockerignore
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
DOCKER-VERIFICATION.md
DOCKER-VERIFICATION.md
 
 
Dockerfile
Dockerfile
 
 
E2E_VERIFICATION_REPORT.md
E2E_VERIFICATION_REPORT.md
 
 
GEMINI.md
GEMINI.md
 
 
QUICK-START.md
QUICK-START.md
 
 
README.md
README.md
 
 
README.txt
README.txt
 
 
VERIFICATION-STATUS.md
VERIFICATION-STATUS.md
 
 
app.py
app.py
 
 
compensating.yaml
compensating.yaml
 
 
docker-compose.yml
docker-compose.yml
 
 
manual_e2e_test.sh
manual_e2e_test.sh
 
 
profile_config.yaml
profile_config.yaml
 
 
requirements.txt
requirements.txt
 
 
scubascore.py
scubascore.py
 
 
service_weights.yaml
service_weights.yaml
 
 
service_weights_m365.yaml
service_weights_m365.yaml
 
 
test-e2e.sh
test-e2e.sh
 
 
test_e2e_profile_switching.py
test_e2e_profile_switching.py
 
 
test_scuba_results.json
test_scuba_results.json
 
 
weights.yaml
weights.yaml
 
 

Repository files navigation

SCuBA Scoring Kit

Project Overview

The SCuBA Scoring Kit is a Python-based utility designed to score security compliance results generated by CISA's ScubaGoggles tool. It transforms raw compliance data into a quantified risk score, allowing organizations to measure their security posture against the SCuBA (Secure Cloud Business Applications) framework.

The tool processes ScubaGoggles JSON output, applies a customizable risk model (assigning weights to specific rules and services), and accounts for compensating controls.

Key Features

  • Scoring Logic: Calculates weighted scores based on rule compliance (PASS/FAIL) and rule severity.
  • Service Aggregation: Aggregates scores by service (e.g., Gmail, Drive, Common) and computes a weighted overall score.
  • Compensating Controls: Supports partial credit (50%) for failed checks that have documented compensating controls.
  • Multi-Format Reporting: Generates results in JSON, CSV, and HTML formats.
  • Schema Tolerance: Designed to be robust against variations in the input JSON structure.

Architecture & Files

  • scubascore.py: The main entry point and core logic script. It handles data ingestion, normalization, scoring, and report generation.
  • weights.yaml: Defines the risk weight for individual rules or prefixes (e.g., Critical=5, High=3).
  • service_weights.yaml: Defines the relative importance of each service (e.g., Gmail=20%, Meet=5%) to the overall score.
  • compensating.yaml: Lists rules that should receive partial credit even if they fail, due to external mitigations.

Setup & Requirements

  • Python 3.6+
  • Dependencies: PyYAML (required for parsing configuration files).
pip install pyyaml

Usage

The tool is executed via the command line. It requires an input JSON file from ScubaGoggles and paths to the configuration YAML files.

Basic Command

python scubascore.py \
  --input ScubaResults-XXXX.json \
  --weights weights.yaml \
  --service-weights service_weights.yaml \
  --compensating compensating.yaml \
  --out-prefix results/tenant_scuba

Arguments

  • --input: Path to the ScubaGoggles JSON results file.
  • --weights: Path to the rule weights configuration (optional, defaults to internal logic if omitted).
  • --service-weights: Path to the service weights configuration (optional, defaults provided).
  • --compensating: Path to the compensating controls configuration (optional).
  • --out-prefix: Directory and filename prefix for output files (e.g., results/report creates results/report_scores.json, etc.).

Configuration Details

1. weights.yaml

Maps specific rule IDs or prefixes to numeric weights.

  • Specific Match: gws.gmail.dmarc_enforced: 5
  • Prefix Match: gws.calendar.: 1 (Applied if no specific match is found).

2. service_weights.yaml

Defines the contribution of each service to the global score. The values usually sum to 1.0 (or are normalized). Example:

service_weights:
  gmail: 0.20
  drive: 0.20
  common: 0.20
  ...

3. compensating.yaml

A list or map of rule IDs. If a rule listed here has a FAIL verdict, it contributes 50% of its weight to the score (instead of 0%).

Outputs

The tool generates three files based on the --out-prefix:

  1. _scores.json: Detailed data structure containing overall score, per-service scores, and specific pass/fail lists.
  2. _scores.csv: A summary table of service scores, useful for spreadsheets.
  3. _summary.html: A visual executive summary report.

Web Dashboard

A Flask-based web server is included to facilitate scoring, track progress, and manage configuration.

Features

  • Web Interface: A user-friendly dashboard to upload ScubaGoggles results.
  • Interactive Charts: Click on data points to drill down into per-service pass/fail lists.
  • Top Recommendations: Automatically identifies the top 5 high-impact fixes.
  • Configuration Editor: Modify weights.yaml and service_weights.yaml directly via the /settings page.
  • Automated Ingestion:
    • Folder Watcher: Place JSON files in the autoload/ directory. They will be automatically processed every 60 seconds.
    • Webhook: POST JSON results to /webhook for CI/CD integration.

API Endpoints

  • POST /score: Submit JSON results, return calculated score and top failures.
  • GET /score: Retrieve scoring history.
  • GET /score/<id>: Retrieve full details for a specific historical score.
  • POST /webhook: Headless endpoint for ingesting results. Returns simple status JSON.

Running the Server

  1. Install Dependencies:

    pip install -r requirements.txt

  2. Start the App:

    python app.py

  3. Access the Dashboard: Open your browser and navigate to http://localhost:5000.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages