chore(deps): bump peter-evans/create-pull-request from 5 to 7#7
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): bump peter-evans/create-pull-request from 5 to 7#7dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5 to 7. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@v5...v7) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
remyluslosius
added a commit
that referenced
this pull request
Oct 1, 2025
- Add comprehensive PlatformDetectionService with advanced system capability analysis - Support detection of 16 system capabilities: systemd, Docker, Podman, SELinux, AppArmor, FIPS, TPM, UEFI, virtualization, containers, Kubernetes, Snap, Flatpak, Wayland, X11 - Implement sophisticated platform compatibility checking with version ranges and exclusions - Add PlatformInfo dataclass with 20+ system attributes including virtualization type, container runtime, security modules, desktop environment - Support comprehensive version comparison logic for RHEL 8/9, Ubuntu 20.04/22.04/24.04, CentOS, Debian - Include CompatibilityResult with scoring system and detailed warnings - Add caching mechanism with configurable TTL for performance optimization - Comprehensive CLI tool with detect, check, capabilities, and summary commands - Export capabilities in JSON and text formats for integration - Support multi-platform rule compatibility checking Key Features: - Advanced /etc/os-release parsing with fallback detection methods - Container detection via /.dockerenv, cgroup analysis, and runtime detection - Virtualization detection via systemd-detect-virt and DMI information - Security module detection: SELinux status, AppArmor status, FIPS mode validation - Package manager detection: DNF, YUM, APT, RPM, DEB, Snap, Flatpak, Pip - Desktop environment detection: GNOME, KDE, XFCE, LXDE, MATE, Cinnamon - Init system detection: systemd, sysvinit, upstart with process analysis - Architecture and kernel version detection with error handling Technical Implementation: - Asynchronous detection with subprocess execution and file system analysis - Compatibility scoring algorithm with weighted factors (platform: 0.4, version: 0.3, arch: 0.2, capabilities: 0.1) - Version comparison supporting semantic versioning and Ubuntu date-based versions - Capability-based requirements checking for FIPS compliance scenarios - Platform range filtering for multi-version OS support without separate scans - Comprehensive error handling and graceful degradation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
10 tasks
remyluslosius
added a commit
that referenced
this pull request
Oct 15, 2025
…Routing
Implements complete scan orchestration system that routes compliance checks
to appropriate scanners (OSCAP, Kubernetes, cloud APIs) and stores results
in MongoDB.
## New Components
### 1. MongoDB Models (scan_models.py - 280 lines)
- **ScanResult**: Complete scan execution record with rule-level results
- **ScanConfiguration**: Scan settings (target, framework, variables)
- **RuleResult**: Individual rule check result with status and message
- **ScanResultSummary**: Aggregated statistics (pass/fail/error counts)
- **ScanTarget**: Target system definition (SSH host, K8s cluster, cloud account)
- **ScanSchedule**: Future enhancement for recurring scans
### 2. Scanner Interface (base_scanner.py - 180 lines)
- **BaseScanner**: Abstract base class for all scanners
- **scan()**: Execute compliance checks against target
- **_calculate_summary()**: Aggregate rule results into summary
- **_group_by_severity()**: Breakdown by high/medium/low
- **_group_by_scanner()**: Breakdown by scanner type
- Custom exceptions: ScannerNotAvailableError, ScannerExecutionError
### 3. OSCAP Scanner (oscap_scanner.py - 380 lines)
- **OSCAPScanner**: Traditional OVAL-based compliance scanning
- Generates XCCDF benchmark from MongoDB rules
- Creates tailoring files for variable overrides
- Executes oscap (local) or oscap-ssh (remote)
- Parses XCCDF results XML into RuleResult objects
- Supports SSH-based remote scanning
### 4. Kubernetes Scanner (kubernetes_scanner.py - 280 lines)
- **KubernetesScanner**: YAML-based checks for K8s/OpenShift
- Queries Kubernetes API using kubectl + JSONPath
- Evaluates conditions: equals, not_equals, contains, exists, any_exist
- Supports OpenShift-specific resources (image.config.openshift.io)
- Compatible with kubeconfig-based authentication
### 5. Scanner Factory (scanners/__init__.py - 60 lines)
- **ScannerFactory**: Registry and factory for scanner instances
- get_scanner(scanner_type): Create scanner on demand
- register_scanner(): Plugin support for custom scanners
- Available scanners: oscap, kubernetes (more coming: aws_api, azure_api, gcp_api)
### 6. Scan Orchestrator (scan_orchestrator_service.py - 280 lines)
- **ScanOrchestrator**: Central coordinator for multi-scanner execution
- execute_scan(): Main entry point for scan execution
- Queries MongoDB for rules matching framework/version
- Groups rules by scanner_type
- Executes scanners in parallel with asyncio.gather()
- Aggregates results from all scanners
- Stores complete results in MongoDB
### 7. Scan API Endpoints (scans_api.py - 220 lines)
- **POST /api/v1/scans/execute**: Execute compliance scan
- **GET /api/v1/scans/{scan_id}**: Get scan result details
- **GET /api/v1/scans**: List scans with filters (status, pagination)
- **DELETE /api/v1/scans/{scan_id}**: Delete scan result
- **GET /api/v1/scans/statistics/summary**: Aggregated scan statistics
## Scan Execution Flow
```
1. User submits ScanConfiguration via API
↓
2. ScanOrchestrator queries MongoDB for rules
↓
3. Rules grouped by scanner_type:
- oscap: 45 rules
- kubernetes: 12 rules
↓
4. Scanners execute in parallel:
├─ OSCAPScanner:
│ ├─ Generate XCCDF benchmark
│ ├─ Generate tailoring file (if variables provided)
│ ├─ Execute oscap-ssh on target
│ └─ Parse results XML → RuleResults
│
└─ KubernetesScanner:
├─ For each rule:
│ ├─ Query K8s API via kubectl
│ ├─ Evaluate condition
│ └─ Create RuleResult
└─ Return results
↓
5. Orchestrator aggregates results:
- Combine all RuleResults
- Calculate summary statistics
- Store in MongoDB
↓
6. Return ScanResult to user
```
## Scanner Capabilities
| Scanner | Target Types | Capabilities | Status |
|---------|-------------|--------------|--------|
| oscap | SSH host, local | OVAL checks, XCCDF variables, tailoring | ✅ Implemented |
| kubernetes | K8s cluster | YAML checks, JSONPath queries, API access | ✅ Implemented |
| aws_api | AWS account | S3, IAM, VPC compliance | 🔜 Planned |
| azure_api | Azure subscription | Resource Manager checks | 🔜 Planned |
| gcp_api | GCP project | Cloud API checks | 🔜 Planned |
## Usage
### Execute Scan via API
```bash
curl -X POST http://localhost:8000/api/v1/scans/execute \\
-H "Authorization: Bearer $TOKEN" \\
-H "Content-Type: application/json" \\
-d '{
"target": {
"type": "ssh_host",
"identifier": "prod-web-01.example.com",
"credentials": {"username": "root"}
},
"framework": "nist",
"framework_version": "800-53r5",
"variable_overrides": {
"xccdf_com.hanalyx.openwatch_value_var_accounts_tmout": "300"
}
}'
```
### Check Scan Status
```bash
curl http://localhost:8000/api/v1/scans/{scan_id} \\
-H "Authorization: Bearer $TOKEN"
```
### Response
```json
{
"scan_id": "a1b2c3d4-...",
"status": "completed",
"started_at": "2025-10-15T08:00:00Z",
"completed_at": "2025-10-15T08:05:23Z",
"duration_seconds": 323.5,
"summary": {
"total_rules": 57,
"passed": 45,
"failed": 10,
"error": 2,
"compliance_percentage": 81.8,
"by_severity": {
"high": {"total": 15, "passed": 10, "failed": 5},
"medium": {"total": 30, "passed": 28, "failed": 2},
"low": {"total": 12, "passed": 7, "failed": 3}
},
"by_scanner": {
"oscap": {"total": 45, "passed": 35, "failed": 8},
"kubernetes": {"total": 12, "passed": 10, "failed": 2}
}
}
}
```
## Implementation Details
### Variable Override Application
OSCAP scanner generates tailoring files:
```xml
<xccdf:Tailoring>
<xccdf:Profile id="customized" extends="nist_800_53_r5">
<xccdf:set-value idref="xccdf_...value_var_accounts_tmout">300</xccdf:set-value>
</xccdf:Profile>
</xccdf:Tailoring>
```
### Kubernetes Query Example
Rule check_content:
```json
{
"resource_type": "image.config.openshift.io",
"resource_name": "cluster",
"yamlpath": ".spec.allowedRegistriesForImport[:].insecure",
"expected_value": "false",
"condition": "not_equals"
}
```
Scanner execution:
```bash
kubectl get image.config.openshift.io cluster \\
-o jsonpath='{.spec.allowedRegistriesForImport[:].insecure}'
```
### Parallel Scanner Execution
```python
scanner_tasks = [
oscap_scanner.scan(oscap_rules, target, variables),
k8s_scanner.scan(k8s_rules, target, variables)
]
results = await asyncio.gather(*scanner_tasks)
```
## Testing
Integration testing requires:
- MongoDB with compliance rules (Issue #96)
- OSCAP installed (`oscap --version`)
- Test SSH target or local system
- Optional: Kubernetes cluster for K8s scanner tests
## Next Steps
After this PR merges:
1. **Issue #5**: ORSA Plugin Architecture (5-7 days)
- Execute remediation content (Ansible, Bash)
- Track remediation status
- Rollback support
2. **Issue #6**: Scan Configuration API (3-4 days)
- UI for benchmark selection
- Variable customization interface
- Tailoring file management
3. **Issue #7**: Frontend Variable Customization UI (5-7 days)
- Framework selection
- Variable override forms
- Real-time scan status
## Related Issues
- Closes: #100
- Requires: #98 (XCCDF generator) - PR #99 pending
- Blocks: #5 (ORSA Plugin Architecture)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This was referenced Oct 15, 2025
remyluslosius
added a commit
that referenced
this pull request
Oct 15, 2025
…very & Template Management
Implements complete scan configuration API for framework selection, variable
management, and template-based scan configurations.
New Components (4 files, ~1,800 lines)
1. Scan Configuration Models (backend/app/models/scan_config_models.py - 280 lines)
Purpose: MongoDB models and API schemas for templates and framework metadata
Key Models:
- ScanTemplate: Saved scan configuration with framework, variables, filters, sharing
- VariableDefinition: XCCDF variable with type and constraints
- FrameworkMetadata: Framework discovery with counts and versions
- API Schemas: Request/response models
2. Framework Metadata Service (backend/app/services/framework_metadata_service.py - 420 lines)
Purpose: Discover frameworks and validate variable values
Key Methods:
- list_frameworks(): Aggregate framework metadata
- get_framework_details(): Complete framework/version info
- get_variables(): Extract variables from rules
- validate_variable_value(): Constraint validation (type, range, choices, regex)
- validate_variables(): Batch validation
3. Scan Template Service (backend/app/services/scan_template_service.py - 380 lines)
Purpose: CRUD operations for scan templates
Key Methods:
- create_template(), list_templates(), update_template(), delete_template()
- apply_template(): Generate scan configuration
- set_as_default(), clone_template()
- share_template()/unshare_template(): Access control
4. Scan Configuration API (backend/app/api/v1/endpoints/scan_config_api.py - 720 lines)
Purpose: REST API with 14 endpoints
Framework Discovery:
- GET /frameworks
- GET /frameworks/{framework}/{version}
- GET /frameworks/{framework}/{version}/variables
- POST /frameworks/{framework}/{version}/validate
Template Management:
- POST /templates
- GET /templates
- GET /templates/{id}
- PUT /templates/{id}
- DELETE /templates/{id}
- POST /templates/{id}/apply
- POST /templates/{id}/clone
- POST /templates/{id}/set-default
- GET /statistics
Phase 1 Status: 6/7 tasks completed (86%)
Related Issues:
- Implements: #104
- Depends on: #98 (PR #99), #100 (PR #101)
- Blocks: #7 (Frontend UI)
Co-Authored-By: Claude <noreply@anthropic.com>
8 tasks
remyluslosius
added a commit
that referenced
this pull request
Oct 15, 2025
…covery & Template Management Implemented complete Phase 1 frontend UI for XCCDF variable customization, framework discovery, and scan template management. ## New Pages (4) - FrameworksPage: Browse available compliance frameworks - FrameworkDetailPage: View framework metadata, variables, and rules - TemplatesPage: List and manage scan templates (personal + public) - TemplateEditorPage: Create/edit templates with variable customization ## New Components (7) - FrameworkCard: Framework metadata display card - FrameworkSelector: Framework/version dropdown selector - VariableInput: Type-specific input (number slider, choice dropdown, boolean switch, text) - VariableCustomizer: Dynamic form builder with real-time validation - TemplateCard: Template display with CRUD actions - TemplateSelector: Template picker with grouping ## API Integration - frameworkService: 4 methods (list, details, variables, validate) - templateService: 9 methods (CRUD + clone/apply/setDefault/stats) - useFrameworks: React Query hooks for framework data - useTemplates: React Query hooks for template management with mutations ## Features - Real-time variable validation against backend API - Type-specific inputs (number sliders with min/max, dropdowns, switches) - Variables grouped by category with collapsible accordions - Template cloning, sharing, and default template support - Framework browser with search and metadata display - Integration with existing navigation (sidebar + routes) ## Routes Added - /content/frameworks - Framework browser - /content/frameworks/:framework/:version - Framework details - /content/templates - Template list - /content/templates/new - Create template - /content/templates/:id - Edit template Connects to 37 backend API endpoints from PRs #95-#105. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
remyluslosius
deleted the
dependabot/github_actions/peter-evans/create-pull-request-7
branch
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps peter-evans/create-pull-request from 5 to 7.
Release notes
Sourced from peter-evans/create-pull-request's releases.
... (truncated)
Commits
271a8d0fix: suppress output for some git operations (#3776)6f7efd1test: update cpr-example-command13c47c5build(deps-dev): bump prettier from 3.5.1 to 3.5.2 (#3754)63e5829build(deps): bump@octokit/plugin-paginate-restfrom 11.4.2 to 11.4.3 (#3753)a92c90fbuild(deps-dev): bump eslint-import-resolver-typescript (#3752)b23b62dbuild(deps-dev): bump ts-jest from 29.2.5 to 29.2.6 (#3751)dd2324ffix: use showFileAtRefBase64 to read per-commit file contents (#3744)367180cci: remove testv5 cmd25575a1build: update distribution (#3736)a56e7a5build(deps): bump@octokit/corefrom 6.1.3 to 6.1.4 (#3711)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)