In [46]:
from pathlib import Path
import re
import pandas as pd
from sklearn.metrics import cohen_kappa_score
from openpyxl.styles import PatternFill
import openpyxl

In [2]:
def combine_pac_excels(input_dir: str | Path,
                       output_path: str | Path = "combined_pac_results.xlsx",
                       sheet_name: str | int | None = 0) -> pd.DataFrame:
    """
    Read every Excel file in `input_dir`, add a 'pac' column derived from the filename,
    and write a single combined Excel file to `output_path`.

    - Filenames are expected like: 'aws_config_results_full_foalem.xlsx'
    - 'pac' is extracted as the part before '_results' (e.g., 'aws_config').

    Parameters
    ----------
    input_dir : str | Path
        Folder containing the Excel files (e.g., r'sampled_policies\\Taxonomy_foalem').
    output_path : str | Path
        Where to write the combined Excel file.
    sheet_name : str | int | None
        Sheet to read from each workbook (default first sheet). Use None to let
        pandas read all sheets and concatenate within each file before adding 'pac'.

    Returns
    -------
    pd.DataFrame
        The combined dataframe that is also written to `output_path`.
    """
    input_dir = Path(input_dir)
    output_path = Path(output_path)
    excel_paths = sorted(p for p in input_dir.glob("*.xlsx") if not p.name.startswith("~$"))

    if not excel_paths:
        raise FileNotFoundError(f"No .xlsx files found in: {input_dir}")

    dfs = []
    for path in excel_paths:
        # Derive pac name: capture everything before '_results'
        m = re.match(r"^(.*?)_results", path.stem, flags=re.IGNORECASE)
        pac_name = (m.group(1) if m else path.stem).strip()

        # Read one or all sheets
        if sheet_name is None:
            # Read all sheets and concat within-file first
            xls = pd.read_excel(path, sheet_name=None, engine="openpyxl")
            df_file = pd.concat(xls.values(), ignore_index=True)
        else:
            df_file = pd.read_excel(path, sheet_name=sheet_name, engine="openpyxl")

        df_file.insert(0, "pac", pac_name)  # put 'pac' as the first column
        dfs.append(df_file)

    combined = pd.concat(dfs, ignore_index=True)

    # Write output
    combined.to_excel(output_path, index=False, engine="openpyxl")
    return combined

In [3]:
combine_pac_excels(r"sampled_policies\Taxonomy_foalem",
                   r"sampled_policies\Taxonomy_foalem\all_pac_taxonomy_foalem.xlsx")

Unnamed: 0,pac,Primary Purpose,Sub-purpose,Taxonomy Category,taxonomy foalem,Taxonomy Sub-category,sub-taxonomy foalem,Policy Implemented,Target Resource,Resource foalem,Rationale,Code Snippet,error,raw_output,LLM judgement foalem
0,aws_config,The policy addresses the governance of contain...,It aims to ensure that container images are sc...,Security Governance,Security Governance,Vulnerability Management,,Enable image scanning on push for AWS ECR repo...,AWS ECR Repository,,The policy enforces the scanning of container ...,"{\n ""version"": ""1.3"",\n ""accountId"": ""12...",,,Yes
1,aws_config,The policy ensures that ECS task definitions h...,It aims to enhance security by enforcing a spe...,Security Governance,Security Governance,Configuration Validation,Configuration Validation,ECS task definitions must have readonly root f...,ECS Task Definition,,The policy enforces a security best practice b...,#\n# The following rule ensures that ECS task ...,,,Yes
2,aws_config,The policy governs access control for an AWS E...,It specifically allows certain IAM users to pe...,Security Governance,Security Governance,Access Control,Access Control,Allow specified IAM users to push and pull ima...,AWS ECR Repository,,The policy explicitly defines which IAM users ...,"{\n ""AWSTemplateFormatVersion"": ""2010-09-09T0...",,,Yes
3,aws_config,The policy addresses the enforcement of securi...,It aims to ensure that only authorized users c...,Security Governance,,Access Control,,Restrict access to resources based on defined ...,Cloud environment,,The policy enforces rules that limit access to...,# This file contains example Guard rules you w...,,,No
4,aws_config,The policy addresses the management and retrie...,It specifically aims to facilitate the paginat...,Security Governance,Security Governance,Vulnerability Management,,Enforces structured pagination and retrieval o...,API,,The policy ensures that image scan findings ar...,"{\n ""pagination"": {\n ""DescribeImageScanFi...",,,Yes
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
302,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,,Access Control,,Deny access to resources for users without the...,API,,The policy enforces access control by ensuring...,ver: 0,,,No
303,sentinel,The policy addresses the enforcement of secure...,It specifically aims to validate the structura...,Security Governance,,Configuration Validation,,Enforce valid configuration formats for cloud ...,Cloud environment,,The policy ensures that only correctly structu...,2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2...,,,No
304,sentinel,The policy ensures that default network ACLs i...,It aims to prevent the creation or update of d...,Security Governance,Security Governance,Network Management,Network Management,Deny creation or update of default network ACL...,AWS Default Network ACL,,The policy enforces strict rules on network AC...,"import ""tfplan/v2"" as tfplan\n\nallDefaultNetw...",,,Yes
305,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,,Access Control,,Deny access to resources for users who do not ...,API,,The policy enforces role-based access control ...,ver: 2,,,No


In [5]:
combine_pac_excels(r"sampled_policies\PaC_Taxonomy_Leuson",
                   r"sampled_policies\Taxonomy_foalem\all_pac_taxonomy_leuson.xlsx")

Unnamed: 0,pac,Primary Purpose,Sub-purpose,Taxonomy Category,Taxonomy Sub-category,Policy Implemented,Target Resource,Rationale,Code Snippet,error,raw_output,taxonomy,sub-taxonomy,Resource,LLM judgement
0,aws_config,The policy addresses the governance of contain...,It aims to ensure that container images are sc...,Security Governance,Vulnerability Management,Enable image scanning on push for AWS ECR repo...,AWS ECR Repository,The policy enforces the scanning of container ...,"{\n ""version"": ""1.3"",\n ""accountId"": ""12...",,,Security Governance,Vulnerability Management,Clouds environment,Yes
1,aws_config,The policy ensures that ECS task definitions h...,It aims to enhance security by enforcing a spe...,Security Governance,Configuration Validation,ECS task definitions must have readonly root f...,ECS Task Definition,The policy enforces a security best practice b...,#\n# The following rule ensures that ECS task ...,,,Security Governance,Configuration Validation,Clouds environment,Yes
2,aws_config,The policy governs access control for an AWS E...,It specifically allows certain IAM users to pe...,Security Governance,Access Control,Allow specified IAM users to push and pull ima...,AWS ECR Repository,The policy explicitly defines which IAM users ...,"{\n ""AWSTemplateFormatVersion"": ""2010-09-09T0...",,,Security Governance,Access Control,Clouds environment,Yes
3,aws_config,The policy addresses the enforcement of securi...,It aims to ensure that only authorized users c...,Security Governance,Access Control,Restrict access to resources based on defined ...,Cloud environment,The policy enforces rules that limit access to...,# This file contains example Guard rules you w...,,,NO CODE SNIPPET,NO CODE SNIPPET,NO CODE SNIPPET,NO CODE SNIPPET
4,aws_config,The policy addresses the management and retrie...,It specifically aims to facilitate the paginat...,Security Governance,Vulnerability Management,Enforces structured pagination and retrieval o...,API,The policy ensures that image scan findings ar...,"{\n ""pagination"": {\n ""DescribeImageScanFi...",,,Security Governance,Vulnerability Management,,Yes
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
302,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,Access Control,Deny access to resources for users without the...,API,The policy enforces access control by ensuring...,ver: 0,,,-,-,-,-
303,sentinel,The policy addresses the enforcement of secure...,It specifically aims to validate the structura...,Security Governance,Configuration Validation,Enforce valid configuration formats for cloud ...,Cloud environment,The policy ensures that only correctly structu...,2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2...,,,-,-,-,-
304,sentinel,The policy ensures that default network ACLs i...,It aims to prevent the creation or update of d...,Security Governance,Network Management,Deny creation or update of default network ACL...,AWS Default Network ACL,The policy enforces strict rules on network AC...,"import ""tfplan/v2"" as tfplan\n\nallDefaultNetw...",,,Security Governance,Network Management,,
305,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,Access Control,Deny access to resources for users who do not ...,API,The policy enforces role-based access control ...,ver: 2,,,-,-,-,-


In [33]:
df_patrick = pd.read_excel("sampled_policies/Taxonomy_foalem/all_pac_taxonomy_foalem.xlsx")
df_patrick

Unnamed: 0,pac,Primary Purpose,Sub-purpose,Taxonomy Category,taxonomy foalem,Taxonomy Sub-category,sub-taxonomy foalem,Policy Implemented,Target Resource,Resource foalem,Rationale,Code Snippet,error,raw_output,LLM judgement foalem
0,aws_config,The policy addresses the governance of contain...,It aims to ensure that container images are sc...,Security Governance,Security Governance,Vulnerability Management,,Enable image scanning on push for AWS ECR repo...,AWS ECR Repository,,The policy enforces the scanning of container ...,"{\n ""version"": ""1.3"",\n ""accountId"": ""12...",,,Yes
1,aws_config,The policy ensures that ECS task definitions h...,It aims to enhance security by enforcing a spe...,Security Governance,Security Governance,Configuration Validation,Configuration Validation,ECS task definitions must have readonly root f...,ECS Task Definition,,The policy enforces a security best practice b...,#\n# The following rule ensures that ECS task ...,,,Yes
2,aws_config,The policy governs access control for an AWS E...,It specifically allows certain IAM users to pe...,Security Governance,Security Governance,Access Control,Access Control,Allow specified IAM users to push and pull ima...,AWS ECR Repository,,The policy explicitly defines which IAM users ...,"{\n ""AWSTemplateFormatVersion"": ""2010-09-09T0...",,,Yes
3,aws_config,The policy addresses the enforcement of securi...,It aims to ensure that only authorized users c...,Security Governance,,Access Control,,Restrict access to resources based on defined ...,Cloud environment,,The policy enforces rules that limit access to...,# This file contains example Guard rules you w...,,,No
4,aws_config,The policy addresses the management and retrie...,It specifically aims to facilitate the paginat...,Security Governance,Security Governance,Vulnerability Management,,Enforces structured pagination and retrieval o...,API,,The policy ensures that image scan findings ar...,"{\n ""pagination"": {\n ""DescribeImageScanFi...",,,Yes
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
301,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,,Access Control,,Deny access to resources for users without the...,API,,The policy enforces access control by ensuring...,ver: 0,,,No
302,sentinel,The policy addresses the enforcement of secure...,It specifically aims to validate the structura...,Security Governance,,Configuration Validation,,Enforce valid configuration formats for cloud ...,Cloud environment,,The policy ensures that only correctly structu...,2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2...,,,No
303,sentinel,The policy ensures that default network ACLs i...,It aims to prevent the creation or update of d...,Security Governance,Security Governance,Network Management,Network Management,Deny creation or update of default network ACL...,AWS Default Network ACL,,The policy enforces strict rules on network AC...,"import ""tfplan/v2"" as tfplan\n\nallDefaultNetw...",,,Yes
304,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,,Access Control,,Deny access to resources for users who do not ...,API,,The policy enforces role-based access control ...,ver: 2,,,No


In [34]:
df_leuson = pd.read_excel("sampled_policies/Taxonomy_foalem/all_pac_taxonomy_leuson.xlsx")
df_leuson

Unnamed: 0,pac,Primary Purpose,Sub-purpose,Taxonomy Category,Taxonomy Sub-category,Policy Implemented,Target Resource,Rationale,Code Snippet,error,raw_output,taxonomy,sub-taxonomy,Resource,LLM judgement
0,aws_config,The policy addresses the governance of contain...,It aims to ensure that container images are sc...,Security Governance,Vulnerability Management,Enable image scanning on push for AWS ECR repo...,AWS ECR Repository,The policy enforces the scanning of container ...,"{\n ""version"": ""1.3"",\n ""accountId"": ""12...",,,Security Governance,Vulnerability Management,Clouds environment,Yes
1,aws_config,The policy ensures that ECS task definitions h...,It aims to enhance security by enforcing a spe...,Security Governance,Configuration Validation,ECS task definitions must have readonly root f...,ECS Task Definition,The policy enforces a security best practice b...,#\n# The following rule ensures that ECS task ...,,,Security Governance,Configuration Validation,Clouds environment,Yes
2,aws_config,The policy governs access control for an AWS E...,It specifically allows certain IAM users to pe...,Security Governance,Access Control,Allow specified IAM users to push and pull ima...,AWS ECR Repository,The policy explicitly defines which IAM users ...,"{\n ""AWSTemplateFormatVersion"": ""2010-09-09T0...",,,Security Governance,Access Control,Clouds environment,Yes
3,aws_config,The policy addresses the enforcement of securi...,It aims to ensure that only authorized users c...,Security Governance,Access Control,Restrict access to resources based on defined ...,Cloud environment,The policy enforces rules that limit access to...,# This file contains example Guard rules you w...,,,,,,No
4,aws_config,The policy addresses the management and retrie...,It specifically aims to facilitate the paginat...,Security Governance,Vulnerability Management,Enforces structured pagination and retrieval o...,API,The policy ensures that image scan findings ar...,"{\n ""pagination"": {\n ""DescribeImageScanFi...",,,Security Governance,Vulnerability Management,,Yes
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
301,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,Access Control,Deny access to resources for users without the...,API,The policy enforces access control by ensuring...,ver: 0,,,-,-,-,-
302,sentinel,The policy addresses the enforcement of secure...,It specifically aims to validate the structura...,Security Governance,Configuration Validation,Enforce valid configuration formats for cloud ...,Cloud environment,The policy ensures that only correctly structu...,2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2...,,,-,-,-,-
303,sentinel,The policy ensures that default network ACLs i...,It aims to prevent the creation or update of d...,Security Governance,Network Management,Deny creation or update of default network ACL...,AWS Default Network ACL,The policy enforces strict rules on network AC...,"import ""tfplan/v2"" as tfplan\n\nallDefaultNetw...",,,Security Governance,Network Management,,
304,sentinel,The policy addresses security governance by en...,It specifically aims to control who can access...,Security Governance,Access Control,Deny access to resources for users who do not ...,API,The policy enforces role-based access control ...,ver: 2,,,-,-,-,-


In [43]:
df_leuson_patrick = pd.read_excel("sampled_policies/Taxonomy_foalem/all_pac_taxonomy_patrick_leuson.xlsx")
df_leuson_patrick

Unnamed: 0,pac,taxonomy,sub-taxonomy,Resource,taxonomy foalem,sub-taxonomy foalem,Resource foalem,Code Snippet
0,aws_config,Security Governance,Vulnerability Management,Clouds environment,Security Governance,,,"{\n ""version"": ""1.3"",\n ""accountId"": ""12..."
1,aws_config,Security Governance,Configuration Validation,Clouds environment,Security Governance,Configuration Validation,,#\n# The following rule ensures that ECS task ...
2,aws_config,Security Governance,Access Control,Clouds environment,Security Governance,Access Control,,"{\n ""AWSTemplateFormatVersion"": ""2010-09-09T0..."
3,aws_config,,,,,,,# This file contains example Guard rules you w...
4,aws_config,Security Governance,Vulnerability Management,,Security Governance,,,"{\n ""pagination"": {\n ""DescribeImageScanFi..."
...,...,...,...,...,...,...,...,...
301,sentinel,,,,,,,ver: 0
302,sentinel,,,,,,,2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2.0\n2...
303,sentinel,Security Governance,Network Management,,Security Governance,Network Management,,"import ""tfplan/v2"" as tfplan\n\nallDefaultNetw..."
304,sentinel,,,,,,,ver: 2


In [47]:
def calculate_kappa_and_highlight_disagreements(df: pd.DataFrame, column1: str, column2: str, output_file: str):
    """
    Calculate the Cohen's Kappa score for the agreement between two label columns, 
    highlight the disagreement rows, and save the results to an Excel file.
    
    Parameters:
    - df (pd.DataFrame): The input DataFrame.
    - column1 (str): The name of the first label column (e.g., 'Label_Patrick').
    - column2 (str): The name of the second label column (e.g., 'Label_Leuson').
    - output_file (str): The file path to save the resulting DataFrame with highlighted rows.
    
    Returns:
    - kappa_score (float): The Cohen's Kappa score.
    """
    
    # Calculate Cohen's Kappa score
    kappa_score = cohen_kappa_score(df[column1], df[column2])
    
    # Highlight the disagreement rows
    df['Disagreement'] = df[column1] != df[column2]
    
    # Save to Excel
    with pd.ExcelWriter(output_file, engine='openpyxl') as writer:
        df.to_excel(writer, index=False, sheet_name='Kappa Results')
        
        # Access the openpyxl workbook and sheet
        workbook = writer.book
        sheet = workbook['Kappa Results']
        
        # Define the red fill for disagreement
        red_fill = PatternFill(start_color='FF0000', end_color='FF0000', fill_type='solid')
        
        # Loop through rows and apply red fill for disagreement
        for row_idx, row in df.iterrows():
            if row['Disagreement']:  # If there's disagreement
                for col_idx, col_name in enumerate(df.columns):
                    cell = sheet.cell(row=row_idx + 2, column=col_idx + 1)  # +2 to account for header row
                    cell.fill = red_fill

    # Return the Kappa score
    return kappa_score

In [48]:
# Call the function
kappa = calculate_kappa_and_highlight_disagreements(df_leuson_patrick, 'taxonomy', 'taxonomy foalem', 'taxonomy_disagreement_highlighted.xlsx')

# Print Cohen's Kappa score
print(f"Cohen's Kappa score: {kappa}")


TypeError: '<' not supported between instances of 'float' and 'str'

In [None]:
# Call the function
kappa = calculate_kappa_and_highlight_disagreements(df_leuson_patrick, 'sub-taxonomy', 'sub-taxonomy foalem', 'sub-taxonomy_disagreement_highlighted.xlsx')

# Print Cohen's Kappa score
print(f"Cohen's Kappa score: {kappa}")
