Feuille de chaleur CloudSployt
Aperçu général
CloudSploit est un outil open-source de gestion de la posture de sécurité du cloud (CSPM) qui scanne l'infrastructure cloud pour détecter les erreurs de configuration de sécurité et les violations de conformité. Développé à l'origine par Aqua Security, il prend en charge AWS, Azure et Google Cloud Platform, fournissant des évaluations de sécurité complètes avec plus de 100 plugins intégrés pour détecter des problèmes de sécurité communs.
C'est-à-dire Caractéristiques principales: Numérisation de sécurité multicloud, 100 plugins de sécurité, cadres de conformité (CIS, PCI DSS, HIPAA), suggestions d'assainissement automatisées, intégration CI/CD, et rapports de sécurité détaillés.
Installation et configuration
Installation Node.js
# Install Node.js (required)
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs
# Verify Node.js installation
node --version
npm --version
# Clone CloudSploit repository
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
# Install dependencies
npm install
# Verify installation
node index.js --help
Installation Docker
# Pull CloudSploit Docker image
docker pull aquasec/cloudsploit
# Run CloudSploit in Docker
docker run --rm -it aquasec/cloudsploit --help
# Create Docker alias for easier usage
echo 'alias cloudsploit="docker run --rm -it -v ~/.aws:/root/.aws -v ~/.azure:/root/.azure -v ~/.config/gcloud:/root/.config/gcloud aquasec/cloudsploit"' >> ~/.bashrc
source ~/.bashrc
# Run with volume mounts for cloud credentials
docker run --rm -it \
-v ~/.aws:/root/.aws \
-v ~/.azure:/root/.azure \
-v ~/.config/gcloud:/root/.config/gcloud \
-v $(pwd)/output:/app/output \
aquasec/cloudsploit \
--cloud aws \
--format json \
--output /app/output/aws_scan.json
# Create Docker Compose file
cat > docker-compose.yml << 'EOF'
version: '3.8'
services:
cloudsploit:
image: aquasec/cloudsploit
volumes:
- ~/.aws:/root/.aws
- ~/.azure:/root/.azure
- ~/.config/gcloud:/root/.config/gcloud
- ./output:/app/output
environment:
- AWS_PROFILE=default
- AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
- GOOGLE_APPLICATION_CREDENTIALS=/root/.config/gcloud/application_default_credentials.json
EOF
# Run with Docker Compose
docker-compose run cloudsploit --cloud aws --format json
```_
### Installation du gestionnaire de paquets
```bash
# Install via npm globally
npm install -g cloudsploit
# Verify global installation
cloudsploit --help
# Alternative: Install from source
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
npm install -g .
# Create symbolic link for easier access
sudo ln -sf $(pwd)/index.js /usr/local/bin/cloudsploit
```_
### Configuration du fournisseur de cloud
#### Configuration AWS
```bash
# Install AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# Configure AWS credentials
aws configure
# Enter: Access Key ID, Secret Access Key, Region, Output format
# Alternative: Use environment variables
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_DEFAULT_REGION="us-east-1"
# Alternative: Use IAM roles (recommended for EC2)
# Attach IAM role with required permissions to EC2 instance
# Test AWS configuration
aws sts get-caller-identity
# Required AWS permissions for CloudSploit
cat > cloudsploit-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"iam:GenerateCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListServerCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketVersioning",
"s3:ListAllMyBuckets",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:ListIdentities",
"ses:ListVerifiedEmailAddresses",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
"Resource": "*"
}
]
}
EOF
# Create IAM policy
aws iam create-policy \
--policy-name CloudSploitPolicy \
--policy-document file://cloudsploit-policy.json
# Attach policy to user
aws iam attach-user-policy \
--user-name your-username \
--policy-arn arn:aws:iam::ACCOUNT-ID:policy/CloudSploitPolicy
Configuration d'azur
# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Login to Azure
az login
# Set subscription
az account set --subscription "your-subscription-id"
# Create service principal for CloudSploit
az ad sp create-for-rbac \
--name "CloudSploitSP" \
--role "Security Reader" \
--scopes "/subscriptions/your-subscription-id"
# Note the output: appId, password, tenant
# Set environment variables
export AZURE_CLIENT_ID="app-id-from-output"
export AZURE_CLIENT_SECRET="password-from-output"
export AZURE_TENANT_ID="tenant-from-output"
export AZURE_SUBSCRIPTION_ID="your-subscription-id"
# Alternative: Use Azure CLI authentication
az login --service-principal \
--username $AZURE_CLIENT_ID \
--password $AZURE_CLIENT_SECRET \
--tenant $AZURE_TENANT_ID
# Test Azure configuration
az account show
Configuration Google Cloud
# Install Google Cloud SDK
curl https://sdk.cloud.google.com | bash
exec -l $SHELL
# Initialize gcloud
gcloud init
# Authenticate
gcloud auth login
# Set project
gcloud config set project your-project-id
# Create service account for CloudSploit
gcloud iam service-accounts create cloudsploit-sa \
--display-name="CloudSploit Service Account"
# Grant required roles
gcloud projects add-iam-policy-binding your-project-id \
--member="serviceAccount:cloudsploit-sa@your-project-id.iam.gserviceaccount.com" \
--role="roles/security.securityReviewer"
gcloud projects add-iam-policy-binding your-project-id \
--member="serviceAccount:cloudsploit-sa@your-project-id.iam.gserviceaccount.com" \
--role="roles/viewer"
# Create and download service account key
gcloud iam service-accounts keys create cloudsploit-key.json \
--iam-account=cloudsploit-sa@your-project-id.iam.gserviceaccount.com
# Set environment variable
export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/cloudsploit-key.json"
# Test GCP configuration
gcloud auth list
gcloud projects list
Utilisation et numérisation de base
Analyses simples
# Basic AWS scan
node index.js --cloud aws
# Basic Azure scan
node index.js --cloud azure
# Basic GCP scan
node index.js --cloud gcp
# Scan specific region
node index.js --cloud aws --region us-east-1
# Scan multiple regions
node index.js --cloud aws --region us-east-1,us-west-2,eu-west-1
# Scan with specific profile
node index.js --cloud aws --profile production
# Scan with custom output format
node index.js --cloud aws --format json
node index.js --cloud aws --format csv
node index.js --cloud aws --format table
Options avancées de numérisation
# Scan with specific plugins
node index.js --cloud aws --plugins ec2,s3,iam
# Exclude specific plugins
node index.js --cloud aws --ignore-plugins cloudtrail,vpc
# Scan with compliance framework
node index.js --cloud aws --compliance cis
# Scan with custom severity levels
node index.js --cloud aws --severity high,critical
# Scan with output file
node index.js --cloud aws --format json --output aws_scan_results.json
# Scan with detailed output
node index.js --cloud aws --verbose
# Scan with custom timeout
node index.js --cloud aws --timeout 300
# Scan with parallel execution
node index.js --cloud aws --parallel 10
Numérisation multi-cloud
# Scan all configured clouds
node index.js --cloud all
# Scan multiple clouds with output
node index.js --cloud aws,azure,gcp --format json --output multi_cloud_scan.json
# Create multi-cloud scanning script
cat > multi_cloud_scan.sh << 'EOF'
#!/bin/bash
# Multi-cloud security scanning with CloudSploit
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
OUTPUT_DIR="scans/$TIMESTAMP"
mkdir -p "$OUTPUT_DIR"
echo "Starting multi-cloud security scan..."
# AWS Scan
if aws sts get-caller-identity > /dev/null 2>&1; then
echo "Scanning AWS..."
node index.js --cloud aws --format json --output "$OUTPUT_DIR/aws_scan.json"
echo "AWS scan completed"
else
echo "AWS credentials not configured, skipping..."
fi
# Azure Scan
if az account show > /dev/null 2>&1; then
echo "Scanning Azure..."
node index.js --cloud azure --format json --output "$OUTPUT_DIR/azure_scan.json"
echo "Azure scan completed"
else
echo "Azure credentials not configured, skipping..."
fi
# GCP Scan
if gcloud auth list --filter=status:ACTIVE --format="value(account)" | head -n1 > /dev/null 2>&1; then
echo "Scanning GCP..."
node index.js --cloud gcp --format json --output "$OUTPUT_DIR/gcp_scan.json"
echo "GCP scan completed"
else
echo "GCP credentials not configured, skipping..."
fi
echo "Multi-cloud scan completed. Results in: $OUTPUT_DIR"
# Generate summary report
python3 << 'PYTHON'
import json
import os
import glob
def generate_summary(output_dir):
summary = {
"timestamp": "$TIMESTAMP",
"clouds": {},
"total_findings": 0,
"severity_breakdown": {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0}
}
for scan_file in glob.glob(f"{output_dir}/*.json"):
cloud_name = os.path.basename(scan_file).replace("_scan.json", "")
try:
with open(scan_file, 'r') as f:
data = json.load(f)
findings = 0
for result in data:
if result.get("status") == "FAIL":
findings += 1
severity = result.get("severity", "UNKNOWN")
if severity in summary["severity_breakdown"]:
summary["severity_breakdown"][severity] += 1
summary["clouds"][cloud_name] = {
"findings": findings,
"total_checks": len(data)
}
summary["total_findings"] += findings
except Exception as e:
print(f"Error processing {scan_file}: {e}")
with open(f"{output_dir}/summary.json", 'w') as f:
json.dump(summary, f, indent=2)
print(f"Summary report generated: {output_dir}/summary.json")
generate_summary("$OUTPUT_DIR")
PYTHON
EOF
chmod +x multi_cloud_scan.sh
# Run multi-cloud scan
./multi_cloud_scan.sh
Gestion et personnalisation des plugins
Plugins disponibles
# List all available plugins
node index.js --list-plugins
# List plugins by cloud provider
node index.js --list-plugins --cloud aws
node index.js --list-plugins --cloud azure
node index.js --list-plugins --cloud gcp
# Show plugin details
node index.js --describe-plugin ec2/instancesInPublicSubnet
# List plugins by category
grep -r "category:" plugins/ | sort | uniq
# List plugins by severity
grep -r "severity:" plugins/ | sort | uniq
Développement de plugins personnalisés
// Create custom plugin: plugins/aws/ec2/customSecurityCheck.js
var async = require('async');
var helpers = require('../../../helpers/aws');
module.exports = {
title: 'Custom EC2 Security Check',
category: 'EC2',
description: 'Ensures EC2 instances follow custom security requirements',
more_info: 'Custom security check for EC2 instances based on organizational policies.',
link: 'https://docs.aws.amazon.com/ec2/',
recommended_action: 'Review and remediate EC2 instances that do not meet security requirements.',
apis: ['EC2:describeInstances'],
compliance: {
cis: '2.1.1'
},
severity: 'High',
run: function(cache, settings, callback) {
var results = [];
var source = {};
var regions = helpers.regions(settings);
async.each(regions.ec2, function(region, rcb){
var describeInstances = helpers.addSource(cache, source,
['ec2', 'describeInstances', region]);
if (!describeInstances) return rcb();
if (describeInstances.err || !describeInstances.data) {
helpers.addResult(results, 3,
'Unable to query for instances: ' + helpers.addError(describeInstances),
region);
return rcb();
}
if (!describeInstances.data.length) {
helpers.addResult(results, 0, 'No instances found', region);
return rcb();
}
describeInstances.data.forEach(function(reservation){
reservation.Instances.forEach(function(instance){
var resource = instance.InstanceId;
// Custom security checks
var securityIssues = [];
// Check 1: Instance should have specific tags
var requiredTags = ['Environment', 'Owner', 'Project'];
var instanceTags = instance.Tags || [];
var tagNames = instanceTags.map(tag => tag.Key);
requiredTags.forEach(function(requiredTag) {
if (!tagNames.includes(requiredTag)) {
securityIssues.push(`Missing required tag: ${requiredTag}`);
}
});
// Check 2: Instance should not be in default VPC
if (instance.VpcId && instance.VpcId.includes('default')) {
securityIssues.push('Instance is running in default VPC');
}
// Check 3: Instance should have detailed monitoring enabled
if (!instance.Monitoring || instance.Monitoring.State !== 'enabled') {
securityIssues.push('Detailed monitoring is not enabled');
}
// Check 4: Instance should not have public IP in production
var envTag = instanceTags.find(tag => tag.Key === 'Environment');
if (envTag && envTag.Value.toLowerCase() === 'production' && instance.PublicIpAddress) {
securityIssues.push('Production instance has public IP address');
}
if (securityIssues.length > 0) {
helpers.addResult(results, 2,
`Instance has security issues: ${securityIssues.join(', ')}`,
region, resource);
} else {
helpers.addResult(results, 0,
'Instance meets custom security requirements',
region, resource);
}
});
});
rcb();
}, function(){
callback(null, results, source);
});
}
};
Configuration du plugin
// Create plugin configuration file: config/plugins.js
module.exports = {
// Global plugin settings
settings: {
// Timeout for API calls (seconds)
timeout: 120,
// Maximum number of parallel API calls
parallelism: 10,
// Retry configuration
retries: 3,
retryDelay: 1000,
// Custom severity mappings
severityMapping: {
'CRITICAL': 4,
'HIGH': 3,
'MEDIUM': 2,
'LOW': 1,
'INFO': 0
}
},
// Plugin-specific configurations
plugins: {
// AWS EC2 plugins
'ec2/instancesInPublicSubnet': {
enabled: true,
severity: 'HIGH',
settings: {
// Allow specific instance types in public subnets
allowedInstanceTypes: ['t3.nano', 't3.micro']
}
},
// S3 plugins
's3/bucketAllUsersPolicy': {
enabled: true,
severity: 'CRITICAL',
settings: {
// Whitelist specific buckets
whitelistedBuckets: ['public-website-bucket']
}
},
// IAM plugins
'iam/rootAccessKeys': {
enabled: true,
severity: 'CRITICAL'
},
// Custom plugins
'ec2/customSecurityCheck': {
enabled: true,
severity: 'HIGH',
settings: {
requiredTags: ['Environment', 'Owner', 'Project', 'CostCenter'],
allowPublicIpEnvironments: ['development', 'staging']
}
}
},
// Compliance framework mappings
compliance: {
cis: {
enabled: true,
version: '1.4.0',
plugins: [
'iam/rootAccessKeys',
'iam/mfaEnabled',
'cloudtrail/cloudtrailEnabled',
's3/bucketAllUsersPolicy'
]
},
pci: {
enabled: true,
version: '3.2.1',
plugins: [
'ec2/instancesInPublicSubnet',
's3/bucketAllUsersPolicy',
'rds/rdsEncryptionEnabled'
]
},
hipaa: {
enabled: true,
plugins: [
'rds/rdsEncryptionEnabled',
's3/bucketEncryptionInTransit',
'kms/kmsKeyRotation'
]
}
}
};
Exécuter des plugins personnalisés
# Run with custom plugin configuration
node index.js --cloud aws --config config/plugins.js
# Run specific custom plugin
node index.js --cloud aws --plugins ec2/customSecurityCheck
# Test custom plugin
node index.js --cloud aws --plugins ec2/customSecurityCheck --verbose --dry-run
# Validate plugin syntax
node -c plugins/aws/ec2/customSecurityCheck.js
# Run plugin development helper
cat > test_plugin.js << 'EOF'
// Plugin testing helper
const plugin = require('./plugins/aws/ec2/customSecurityCheck.js');
const mockCache = require('./test/mock_cache.js');
// Test plugin with mock data
plugin.run(mockCache, {}, function(err, results, source) {
if (err) {
console.error('Plugin error:', err);
return;
}
console.log('Plugin results:');
results.forEach(function(result) {
console.log(`${result.status}: ${result.message} (${result.region})`);
});
});
EOF
node test_plugin.js
Conformité et rapports
Analyse du cadre de conformité
# CIS Benchmark scanning
node index.js --cloud aws --compliance cis --format json --output cis_aws_scan.json
# PCI DSS compliance scanning
node index.js --cloud aws --compliance pci --format json --output pci_aws_scan.json
# HIPAA compliance scanning
node index.js --cloud aws --compliance hipaa --format json --output hipaa_aws_scan.json
# SOC 2 compliance scanning
node index.js --cloud aws --compliance soc2 --format json --output soc2_aws_scan.json
# Custom compliance scanning
node index.js --cloud aws --compliance custom --config compliance/custom_framework.js
# Multi-framework compliance scanning
cat > compliance_scan.sh << 'EOF'
#!/bin/bash
# Comprehensive compliance scanning
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
COMPLIANCE_DIR="compliance_reports/$TIMESTAMP"
mkdir -p "$COMPLIANCE_DIR"
echo "Starting compliance scanning..."
# CIS Benchmark
echo "Running CIS Benchmark scan..."
node index.js --cloud aws --compliance cis --format json --output "$COMPLIANCE_DIR/cis_report.json"
# PCI DSS
echo "Running PCI DSS scan..."
node index.js --cloud aws --compliance pci --format json --output "$COMPLIANCE_DIR/pci_report.json"
# HIPAA
echo "Running HIPAA scan..."
node index.js --cloud aws --compliance hipaa --format json --output "$COMPLIANCE_DIR/hipaa_report.json"
# Generate compliance summary
python3 << 'PYTHON'
import json
import os
def generate_compliance_summary(compliance_dir):
frameworks = ['cis', 'pci', 'hipaa']
summary = {
"timestamp": "$TIMESTAMP",
"frameworks": {},
"overall_score": 0
}
total_score = 0
framework_count = 0
for framework in frameworks:
report_file = f"{compliance_dir}/{framework}_report.json"
if os.path.exists(report_file):
with open(report_file, 'r') as f:
data = json.load(f)
total_checks = len(data)
passed_checks = sum(1 for result in data if result.get("status") == "OK")
failed_checks = total_checks - passed_checks
score = (passed_checks / total_checks * 100) if total_checks > 0 else 0
summary["frameworks"][framework] = {
"total_checks": total_checks,
"passed_checks": passed_checks,
"failed_checks": failed_checks,
"compliance_score": round(score, 2)
}
total_score += score
framework_count += 1
if framework_count > 0:
summary["overall_score"] = round(total_score / framework_count, 2)
with open(f"{compliance_dir}/compliance_summary.json", 'w') as f:
json.dump(summary, f, indent=2)
print(f"Compliance summary generated: {compliance_dir}/compliance_summary.json")
generate_compliance_summary("$COMPLIANCE_DIR")
PYTHON
echo "Compliance scanning completed. Reports in: $COMPLIANCE_DIR"
EOF
chmod +x compliance_scan.sh
./compliance_scan.sh
Cadre de conformité personnalisé
// Create custom compliance framework: compliance/custom_framework.js
module.exports = {
name: 'Custom Security Framework',
version: '1.0.0',
description: 'Organization-specific security compliance framework',
controls: {
'CSF-001': {
title: 'Data Encryption at Rest',
description: 'All data must be encrypted at rest',
plugins: [
's3/bucketEncryption',
'rds/rdsEncryptionEnabled',
'ec2/encryptedEbsSnapshots'
],
severity: 'CRITICAL'
},
'CSF-002': {
title: 'Network Security',
description: 'Network access must be properly controlled',
plugins: [
'ec2/instancesInPublicSubnet',
'vpc/defaultSecurityGroup',
'ec2/openSecurityGroups'
],
severity: 'HIGH'
},
'CSF-003': {
title: 'Access Management',
description: 'Access must follow principle of least privilege',
plugins: [
'iam/rootAccessKeys',
'iam/mfaEnabled',
'iam/unusedCredentials'
],
severity: 'HIGH'
},
'CSF-004': {
title: 'Monitoring and Logging',
description: 'All activities must be logged and monitored',
plugins: [
'cloudtrail/cloudtrailEnabled',
'cloudwatch/logGroupEncryption',
'vpc/flowLogsEnabled'
],
severity: 'MEDIUM'
},
'CSF-005': {
title: 'Backup and Recovery',
description: 'Critical data must be backed up regularly',
plugins: [
'rds/rdsBackupEnabled',
'ec2/ebsSnapshotPublic',
's3/bucketVersioning'
],
severity: 'MEDIUM'
}
},
// Scoring methodology
scoring: {
'CRITICAL': 10,
'HIGH': 7,
'MEDIUM': 4,
'LOW': 1
},
// Compliance thresholds
thresholds: {
'excellent': 95,
'good': 85,
'fair': 70,
'poor': 50
}
};
Rapports avancés
#!/usr/bin/env python3
# Advanced CloudSploit reporting and analysis
import json
import csv
import datetime
import argparse
import matplotlib.pyplot as plt
import pandas as pd
from jinja2 import Template
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.mime.base import MIMEBase
from email import encoders
class CloudSploitReporter:
"""Advanced reporting for CloudSploit scan results"""
def __init__(self):
self.timestamp = datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S')
def load_scan_results(self, file_path):
"""Load CloudSploit scan results from JSON file"""
try:
with open(file_path, 'r') as f:
return json.load(f)
except Exception as e:
print(f"Error loading scan results: {e}")
return None
def analyze_results(self, results):
"""Analyze scan results and generate statistics"""
analysis = {
'total_checks': len(results),
'passed_checks': 0,
'failed_checks': 0,
'unknown_checks': 0,
'severity_breakdown': {'CRITICAL': 0, 'HIGH': 0, 'MEDIUM': 0, 'LOW': 0, 'INFO': 0},
'category_breakdown': {},
'region_breakdown': {},
'top_issues': []
}
for result in results:
status = result.get('status', 'UNKNOWN')
severity = result.get('severity', 'UNKNOWN')
category = result.get('category', 'UNKNOWN')
region = result.get('region', 'UNKNOWN')
# Count by status
if status == 'OK':
analysis['passed_checks'] += 1
elif status == 'FAIL':
analysis['failed_checks'] += 1
else:
analysis['unknown_checks'] += 1
# Count by severity
if severity in analysis['severity_breakdown']:
analysis['severity_breakdown'][severity] += 1
# Count by category
if category not in analysis['category_breakdown']:
analysis['category_breakdown'][category] = {'total': 0, 'failed': 0}
analysis['category_breakdown'][category]['total'] += 1
if status == 'FAIL':
analysis['category_breakdown'][category]['failed'] += 1
# Count by region
if region not in analysis['region_breakdown']:
analysis['region_breakdown'][region] = {'total': 0, 'failed': 0}
analysis['region_breakdown'][region]['total'] += 1
if status == 'FAIL':
analysis['region_breakdown'][region]['failed'] += 1
# Collect failed checks for top issues
if status == 'FAIL':
analysis['top_issues'].append({
'title': result.get('title', 'Unknown'),
'severity': severity,
'category': category,
'region': region,
'resource': result.get('resource', 'Unknown')
})
# Sort top issues by severity
severity_order = {'CRITICAL': 4, 'HIGH': 3, 'MEDIUM': 2, 'LOW': 1, 'INFO': 0}
analysis['top_issues'].sort(key=lambda x: severity_order.get(x['severity'], 0), reverse=True)
return analysis
def generate_html_report(self, analysis, scan_results, output_file):
"""Generate HTML report"""
html_template = """
<!DOCTYPE html>
<html>
<head>
<title>CloudSploit Security Report - {{ timestamp }}</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.header { background: #f4f4f4; padding: 20px; border-radius: 5px; margin-bottom: 20px; }
.summary { display: flex; justify-content: space-around; margin: 20px 0; }
.metric { text-align: center; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
.metric h3 { margin: 0; color: #333; }
.metric .value { font-size: 2em; font-weight: bold; }
.passed { color: #4CAF50; }
.failed { color: #f44336; }
.critical { color: #d32f2f; }
.high { color: #f57c00; }
.medium { color: #fbc02d; }
.low { color: #388e3c; }
.section { margin: 30px 0; }
.chart { text-align: center; margin: 20px 0; }
table { border-collapse: collapse; width: 100%; margin: 20px 0; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
.issue-row { border-left: 4px solid; }
.issue-critical { border-left-color: #d32f2f; }
.issue-high { border-left-color: #f57c00; }
.issue-medium { border-left-color: #fbc02d; }
.issue-low { border-left-color: #388e3c; }
</style>
</head>
<body>
<div class="header">
<h1>CloudSploit Security Report</h1>
<p>Generated on: {{ timestamp }}</p>
<p>Total Checks: {{ analysis.total_checks }}</p>
</div>
<div class="summary">
<div class="metric">
<h3>Passed Checks</h3>
<div class="value passed">{{ analysis.passed_checks }}</div>
</div>
<div class="metric">
<h3>Failed Checks</h3>
<div class="value failed">{{ analysis.failed_checks }}</div>
</div>
<div class="metric">
<h3>Compliance Score</h3>
<div class="value">{{ "%.1f"|format((analysis.passed_checks / analysis.total_checks * 100) if analysis.total_checks > 0 else 0) }}%</div>
</div>
</div>
<div class="section">
<h2>Severity Breakdown</h2>
<table>
<tr><th>Severity</th><th>Count</th><th>Percentage</th></tr>
{% for severity, count in analysis.severity_breakdown.items() %}
<tr class="{{ severity.lower() }}">
<td>{{ severity }}</td>
<td>{{ count }}</td>
<td>{{ "%.1f"|format((count / analysis.total_checks * 100) if analysis.total_checks > 0 else 0) }}%</td>
</tr>
{% endfor %}
</table>
</div>
<div class="section">
<h2>Top Security Issues</h2>
<table>
<tr><th>Issue</th><th>Severity</th><th>Category</th><th>Region</th><th>Resource</th></tr>
{% for issue in analysis.top_issues[:20] %}
<tr class="issue-row issue-{{ issue.severity.lower() }}">
<td>{{ issue.title }}</td>
<td>{{ issue.severity }}</td>
<td>{{ issue.category }}</td>
<td>{{ issue.region }}</td>
<td>{{ issue.resource }}</td>
</tr>
{% endfor %}
</table>
</div>
<div class="section">
<h2>Category Breakdown</h2>
<table>
<tr><th>Category</th><th>Total Checks</th><th>Failed Checks</th><th>Success Rate</th></tr>
{% for category, stats in analysis.category_breakdown.items() %}
<tr>
<td>{{ category }}</td>
<td>{{ stats.total }}</td>
<td>{{ stats.failed }}</td>
<td>{{ "%.1f"|format(((stats.total - stats.failed) / stats.total * 100) if stats.total > 0 else 0) }}%</td>
</tr>
{% endfor %}
</table>
</div>
<div class="section">
<h2>Regional Analysis</h2>
<table>
<tr><th>Region</th><th>Total Checks</th><th>Failed Checks</th><th>Success Rate</th></tr>
{% for region, stats in analysis.region_breakdown.items() %}
<tr>
<td>{{ region }}</td>
<td>{{ stats.total }}</td>
<td>{{ stats.failed }}</td>
<td>{{ "%.1f"|format(((stats.total - stats.failed) / stats.total * 100) if stats.total > 0 else 0) }}%</td>
</tr>
{% endfor %}
</table>
</div>
</body>
</html>
"""
template = Template(html_template)
html_content = template.render(
timestamp=self.timestamp,
analysis=analysis
)
with open(output_file, 'w') as f:
f.write(html_content)
print(f"HTML report generated: {output_file}")
return output_file
def generate_csv_report(self, scan_results, output_file):
"""Generate CSV report"""
with open(output_file, 'w', newline='') as csvfile:
fieldnames = ['title', 'status', 'severity', 'category', 'region', 'resource', 'message']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for result in scan_results:
writer.writerow({
'title': result.get('title', ''),
'status': result.get('status', ''),
'severity': result.get('severity', ''),
'category': result.get('category', ''),
'region': result.get('region', ''),
'resource': result.get('resource', ''),
'message': result.get('message', '')
})
print(f"CSV report generated: {output_file}")
return output_file
def generate_charts(self, analysis, output_dir):
"""Generate charts and visualizations"""
import os
os.makedirs(output_dir, exist_ok=True)
# Severity breakdown pie chart
plt.figure(figsize=(10, 6))
# Filter out zero values
severity_data = {k: v for k, v in analysis['severity_breakdown'].items() if v > 0}
if severity_data:
plt.subplot(1, 2, 1)
plt.pie(severity_data.values(), labels=severity_data.keys(), autopct='%1.1f%%')
plt.title('Findings by Severity')
# Pass/Fail breakdown
plt.subplot(1, 2, 2)
status_data = [analysis['passed_checks'], analysis['failed_checks']]
status_labels = ['Passed', 'Failed']
colors = ['#4CAF50', '#f44336']
plt.pie(status_data, labels=status_labels, colors=colors, autopct='%1.1f%%')
plt.title('Overall Compliance Status')
plt.tight_layout()
chart_file = f"{output_dir}/security_overview.png"
plt.savefig(chart_file)
plt.close()
print(f"Charts generated: {chart_file}")
return chart_file
def send_email_report(self, report_files, email_config):
"""Send report via email"""
msg = MIMEMultipart()
msg['From'] = email_config['from']
msg['To'] = ', '.join(email_config['to'])
msg['Subject'] = f"CloudSploit Security Report - {self.timestamp}"
body = f"""
CloudSploit Security Report
Generated on: {self.timestamp}
Please find the attached security scan reports for review.
Best regards,
CloudSploit Automation
"""
msg.attach(MIMEText(body, 'plain'))
# Attach report files
for report_file in report_files:
with open(report_file, 'rb') as attachment:
part = MIMEBase('application', 'octet-stream')
part.set_payload(attachment.read())
encoders.encode_base64(part)
part.add_header(
'Content-Disposition',
f'attachment; filename= {os.path.basename(report_file)}'
)
msg.attach(part)
# Send email
try:
server = smtplib.SMTP(email_config['smtp_server'], email_config['smtp_port'])
server.starttls()
server.login(email_config['username'], email_config['password'])
text = msg.as_string()
server.sendmail(email_config['from'], email_config['to'], text)
server.quit()
print("Email sent successfully")
except Exception as e:
print(f"Error sending email: {e}")
def main():
parser = argparse.ArgumentParser(description='CloudSploit Advanced Reporter')
parser.add_argument('scan_file', help='CloudSploit scan results JSON file')
parser.add_argument('--output-dir', default='reports', help='Output directory for reports')
parser.add_argument('--email-config', help='Email configuration file (JSON)')
parser.add_argument('--charts', action='store_true', help='Generate charts and visualizations')
args = parser.parse_args()
reporter = CloudSploitReporter()
# Load scan results
scan_results = reporter.load_scan_results(args.scan_file)
if not scan_results:
return
# Analyze results
analysis = reporter.analyze_results(scan_results)
# Create output directory
import os
os.makedirs(args.output_dir, exist_ok=True)
# Generate reports
report_files = []
# HTML report
html_file = f"{args.output_dir}/security_report_{reporter.timestamp}.html"
reporter.generate_html_report(analysis, scan_results, html_file)
report_files.append(html_file)
# CSV report
csv_file = f"{args.output_dir}/security_report_{reporter.timestamp}.csv"
reporter.generate_csv_report(scan_results, csv_file)
report_files.append(csv_file)
# Charts
if args.charts:
chart_file = reporter.generate_charts(analysis, args.output_dir)
report_files.append(chart_file)
# Send email if configuration provided
if args.email_config:
with open(args.email_config, 'r') as f:
email_config = json.load(f)
reporter.send_email_report(report_files, email_config)
print(f"Report generation completed. Files: {report_files}")
if __name__ == "__main__":
main()
Intégration et automatisation CI/CD
Intégration des actions GitHub
# .github/workflows/cloudsploit-security-scan.yml
name: CloudSploit Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install CloudSploit
run: |
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
npm install
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Run CloudSploit scan
run: |
cd cloudsploit
node index.js --cloud aws --format json --output ../aws_scan_results.json
- name: Generate security report
run: |
python3 -m pip install jinja2 matplotlib pandas
python3 scripts/generate_report.py aws_scan_results.json --output-dir reports --charts
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: security-scan-results
path: |
aws_scan_results.json
reports/
- name: Check for critical issues
run: |
python3 << 'EOF'
import json
import sys
with open('aws_scan_results.json', 'r') as f:
results = json.load(f)
critical_issues = [r for r in results if r.get('status') == 'FAIL' and r.get('severity') == 'CRITICAL']
if critical_issues:
print(f"Found {len(critical_issues)} critical security issues!")
for issue in critical_issues[:5]: # Show first 5
print(f"- {issue.get('title', 'Unknown')}: {issue.get('message', 'No message')}")
sys.exit(1)
else:
print("No critical security issues found.")
EOF
- name: Comment PR with results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const results = JSON.parse(fs.readFileSync('aws_scan_results.json', 'utf8'));
const totalChecks = results.length;
const failedChecks = results.filter(r => r.status === 'FAIL').length;
const passedChecks = totalChecks - failedChecks;
const complianceScore = ((passedChecks / totalChecks) * 100).toFixed(1);
const criticalIssues = results.filter(r => r.status === 'FAIL' && r.severity === 'CRITICAL').length;
const highIssues = results.filter(r => r.status === 'FAIL' && r.severity === 'HIGH').length;
const comment = `## 🔒 CloudSploit Security Scan Results
**Compliance Score:** ${complianceScore}%
**Summary:**
- ✅ Passed: ${passedChecks}
- ❌ Failed: ${failedChecks}
- 🔴 Critical: ${criticalIssues}
- 🟠 High: ${highIssues}
${criticalIssues > 0 ? '⚠️ **Critical security issues found! Please review and remediate.**' : '✅ No critical security issues found.'}
[View detailed report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
Intégration GitLab CI
# .gitlab-ci.yml
stages:
- security-scan
- report
- notify
variables:
CLOUDSPLOIT_VERSION: "latest"
security-scan:
stage: security-scan
image: node:18
before_script:
- apt-get update && apt-get install -y python3 python3-pip
- git clone https://github.com/aquasecurity/cloudsploit.git
- cd cloudsploit && npm install
script:
- cd cloudsploit
- node index.js --cloud aws --format json --output ../aws_scan_results.json
- node index.js --cloud azure --format json --output ../azure_scan_results.json || true
- node index.js --cloud gcp --format json --output ../gcp_scan_results.json || true
artifacts:
reports:
junit: scan_results.xml
paths:
- "*_scan_results.json"
expire_in: 1 week
only:
- main
- develop
- merge_requests
generate-report:
stage: report
image: python:3.9
dependencies:
- security-scan
before_script:
- pip install jinja2 matplotlib pandas
script:
- python3 scripts/generate_report.py aws_scan_results.json --output-dir reports --charts
- python3 scripts/generate_compliance_report.py aws_scan_results.json --framework cis
artifacts:
paths:
- reports/
expire_in: 1 month
security-notification:
stage: notify
image: alpine:latest
dependencies:
- security-scan
before_script:
- apk add --no-cache curl jq
script:
- |
CRITICAL_COUNT=$(jq '[.[] | select(.status == "FAIL" and .severity == "CRITICAL")] | length' aws_scan_results.json)
HIGH_COUNT=$(jq '[.[] | select(.status == "FAIL" and .severity == "HIGH")] | length' aws_scan_results.json)
if [ "$CRITICAL_COUNT" -gt 0 ] || [ "$HIGH_COUNT" -gt 5 ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"🚨 Security Alert: $CRITICAL_COUNT critical and $HIGH_COUNT high severity issues found in $CI_PROJECT_NAME\"}" \
$SLACK_WEBHOOK_URL
fi
only:
- main
Jenkins Pipeline
// Jenkinsfile
pipeline {
agent any
parameters {
choice(
name: 'CLOUD_PROVIDER',
choices: ['aws', 'azure', 'gcp', 'all'],
description: 'Cloud provider to scan'
)
booleanParam(
name: 'GENERATE_CHARTS',
defaultValue: true,
description: 'Generate charts and visualizations'
)
}
environment {
CLOUDSPLOIT_DIR = 'cloudsploit'
REPORTS_DIR = 'reports'
TIMESTAMP = sh(script: 'date +%Y%m%d_%H%M%S', returnStdout: true).trim()
}
stages {
stage('Setup') {
steps {
script {
// Clean workspace
deleteDir()
// Clone CloudSploit
sh '''
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
npm install
'''
}
}
}
stage('Security Scan') {
parallel {
stage('AWS Scan') {
when {
anyOf {
params.CLOUD_PROVIDER == 'aws'
params.CLOUD_PROVIDER == 'all'
}
}
steps {
withCredentials([
[$class: 'AmazonWebServicesCredentialsBinding',
credentialsId: 'aws-credentials']
]) {
sh '''
cd cloudsploit
node index.js --cloud aws --format json --output ../aws_scan_${TIMESTAMP}.json
'''
}
}
}
stage('Azure Scan') {
when {
anyOf {
params.CLOUD_PROVIDER == 'azure'
params.CLOUD_PROVIDER == 'all'
}
}
steps {
withCredentials([
azureServicePrincipal('azure-credentials')
]) {
sh '''
cd cloudsploit
node index.js --cloud azure --format json --output ../azure_scan_${TIMESTAMP}.json
'''
}
}
}
stage('GCP Scan') {
when {
anyOf {
params.CLOUD_PROVIDER == 'gcp'
params.CLOUD_PROVIDER == 'all'
}
}
steps {
withCredentials([
file(credentialsId: 'gcp-service-account', variable: 'GOOGLE_APPLICATION_CREDENTIALS')
]) {
sh '''
cd cloudsploit
node index.js --cloud gcp --format json --output ../gcp_scan_${TIMESTAMP}.json
'''
}
}
}
}
}
stage('Generate Reports') {
steps {
script {
sh '''
mkdir -p ${REPORTS_DIR}
# Install Python dependencies
pip3 install jinja2 matplotlib pandas
# Generate reports for each scan result
for scan_file in *_scan_${TIMESTAMP}.json; do
if [ -f "$scan_file" ]; then
echo "Generating report for $scan_file"
python3 scripts/generate_report.py "$scan_file" \
--output-dir "${REPORTS_DIR}" \
${params.GENERATE_CHARTS ? '--charts' : ''}
fi
done
# Generate compliance reports
for scan_file in *_scan_${TIMESTAMP}.json; do
if [ -f "$scan_file" ]; then
python3 scripts/generate_compliance_report.py "$scan_file" \
--framework cis \
--output-dir "${REPORTS_DIR}"
fi
done
'''
}
}
}
stage('Security Gate') {
steps {
script {
def criticalIssues = 0
def highIssues = 0
// Check each scan result for critical issues
sh '''
for scan_file in *_scan_${TIMESTAMP}.json; do
if [ -f "$scan_file" ]; then
critical=$(jq '[.[] | select(.status == "FAIL" and .severity == "CRITICAL")] | length' "$scan_file")
high=$(jq '[.[] | select(.status == "FAIL" and .severity == "HIGH")] | length' "$scan_file")
echo "File: $scan_file - Critical: $critical, High: $high"
# Fail build if critical issues found
if [ "$critical" -gt 0 ]; then
echo "CRITICAL SECURITY ISSUES FOUND!"
exit 1
fi
# Warn if too many high issues
if [ "$high" -gt 10 ]; then
echo "WARNING: High number of high-severity issues found!"
fi
fi
done
'''
}
}
}
stage('Archive Results') {
steps {
archiveArtifacts artifacts: '*_scan_*.json, reports/**/*', fingerprint: true
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: '*.html',
reportName: 'CloudSploit Security Report'
])
}
}
stage('Notify') {
steps {
script {
// Send Slack notification
def scanResults = readJSON file: "aws_scan_${env.TIMESTAMP}.json"
def totalChecks = scanResults.size()
def failedChecks = scanResults.count { it.status == 'FAIL' }
def complianceScore = ((totalChecks - failedChecks) / totalChecks * 100).round(1)
slackSend(
channel: '#security',
color: complianceScore > 90 ? 'good' : complianceScore > 70 ? 'warning' : 'danger',
message: """
CloudSploit Security Scan Completed
Project: ${env.JOB_NAME}
Build: ${env.BUILD_NUMBER}
Compliance Score: ${complianceScore}%
Failed Checks: ${failedChecks}/${totalChecks}
Report: ${env.BUILD_URL}CloudSploit_Security_Report/
""".trim()
)
}
}
}
}
post {
always {
cleanWs()
}
failure {
emailext(
subject: "CloudSploit Security Scan Failed - ${env.JOB_NAME} #${env.BUILD_NUMBER}",
body: """
The CloudSploit security scan has failed.
Project: ${env.JOB_NAME}
Build Number: ${env.BUILD_NUMBER}
Build URL: ${env.BUILD_URL}
Please check the build logs for more details.
""",
to: "${env.CHANGE_AUTHOR_EMAIL ?: 'security-team@company.com'}"
)
}
}
}
Optimisation des performances et dépannage
Optimisation des performances
#!/bin/bash
# CloudSploit performance optimization
optimize_cloudsploit_performance() {
echo "Optimizing CloudSploit performance..."
# 1. Node.js optimization
export NODE_OPTIONS="--max-old-space-size=4096"
export UV_THREADPOOL_SIZE=128
# 2. Create optimized configuration
cat > config/performance.js << 'EOF'
module.exports = {
// Performance settings
settings: {
// Increase timeout for slow APIs
timeout: 120000,
// Increase parallelism
parallelism: 20,
// Retry configuration
retries: 3,
retryDelay: 2000,
// Memory optimization
maxMemoryUsage: '4GB',
// Cache settings
enableCache: true,
cacheTimeout: 300000
},
// Region optimization
regions: {
aws: [
'us-east-1', 'us-west-2', 'eu-west-1' // Limit to essential regions
],
azure: [
'eastus', 'westus2', 'westeurope'
],
gcp: [
'us-central1', 'us-west1', 'europe-west1'
]
},
// Plugin optimization
plugins: {
// Disable slow or unnecessary plugins
disabled: [
'cloudtrail/cloudtrailFileValidation', // Slow plugin
'ec2/classicInstances', // Legacy check
's3/bucketDnsCompliantName' // Non-critical
],
// Plugin-specific timeouts
timeouts: {
'iam/accessKeys': 60000,
'ec2/instances': 120000,
's3/buckets': 90000
}
}
};
EOF
# 3. Create performance monitoring script
cat > monitor_performance.sh << 'EOF'
#!/bin/bash
# Monitor CloudSploit performance
SCAN_START=$(date +%s)
MEMORY_LOG="memory_usage.log"
CPU_LOG="cpu_usage.log"
# Start monitoring in background
monitor_resources() {
while true; do
# Memory usage
ps aux | grep "node.*index.js" | grep -v grep | awk '{print $6}' >> "$MEMORY_LOG"
# CPU usage
ps aux | grep "node.*index.js" | grep -v grep | awk '{print $3}' >> "$CPU_LOG"
sleep 5
done
}
# Start monitoring
monitor_resources &
MONITOR_PID=$!
# Run CloudSploit scan
node index.js --cloud aws --config config/performance.js --format json --output performance_scan.json
# Stop monitoring
kill $MONITOR_PID
SCAN_END=$(date +%s)
SCAN_DURATION=$((SCAN_END - SCAN_START))
echo "Scan completed in $SCAN_DURATION seconds"
# Analyze performance
python3 << 'PYTHON'
import matplotlib.pyplot as plt
import numpy as np
# Read memory usage
try:
with open('memory_usage.log', 'r') as f:
memory_data = [int(line.strip()) for line in f if line.strip()]
# Convert to MB
memory_mb = [m / 1024 for m in memory_data]
# Read CPU usage
with open('cpu_usage.log', 'r') as f:
cpu_data = [float(line.strip()) for line in f if line.strip()]
# Create performance charts
fig, (ax1, ax2) = plt.subplots(2, 1, figsize=(12, 8))
# Memory usage chart
ax1.plot(memory_mb)
ax1.set_title('Memory Usage During Scan')
ax1.set_ylabel('Memory (MB)')
ax1.grid(True)
# CPU usage chart
ax2.plot(cpu_data)
ax2.set_title('CPU Usage During Scan')
ax2.set_ylabel('CPU (%)')
ax2.set_xlabel('Time (5-second intervals)')
ax2.grid(True)
plt.tight_layout()
plt.savefig('performance_analysis.png')
# Print statistics
print(f"Average Memory Usage: {np.mean(memory_mb):.1f} MB")
print(f"Peak Memory Usage: {np.max(memory_mb):.1f} MB")
print(f"Average CPU Usage: {np.mean(cpu_data):.1f}%")
print(f"Peak CPU Usage: {np.max(cpu_data):.1f}%")
except Exception as e:
print(f"Error analyzing performance: {e}")
PYTHON
# Cleanup
rm -f memory_usage.log cpu_usage.log
EOF
chmod +x monitor_performance.sh
echo "Performance optimization setup complete"
}
# Memory optimization
optimize_memory_usage() {
echo "Optimizing memory usage..."
# Create memory-optimized scanning script
cat > memory_optimized_scan.sh << 'EOF'
#!/bin/bash
# Memory-optimized CloudSploit scanning
# Set memory limits
export NODE_OPTIONS="--max-old-space-size=2048 --optimize-for-size"
# Scan in batches to reduce memory usage
REGIONS=("us-east-1" "us-west-2" "eu-west-1" "ap-southeast-1")
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
OUTPUT_DIR="scans_$TIMESTAMP"
mkdir -p "$OUTPUT_DIR"
echo "Starting memory-optimized scanning..."
for region in "${REGIONS[@]}"; do
echo "Scanning region: $region"
# Scan single region to limit memory usage
node index.js \
--cloud aws \
--region "$region" \
--format json \
--output "$OUTPUT_DIR/aws_${region}_scan.json"
# Small delay to allow garbage collection
sleep 10
done
# Combine results
echo "Combining scan results..."
python3 << 'PYTHON'
import json
import glob
import os
combined_results = []
for scan_file in glob.glob(f"$OUTPUT_DIR/aws_*_scan.json"):
try:
with open(scan_file, 'r') as f:
data = json.load(f)
combined_results.extend(data)
except Exception as e:
print(f"Error reading {scan_file}: {e}")
# Save combined results
with open(f"$OUTPUT_DIR/aws_combined_scan.json", 'w') as f:
json.dump(combined_results, f, indent=2)
print(f"Combined {len(combined_results)} results")
PYTHON
echo "Memory-optimized scan completed. Results in: $OUTPUT_DIR"
EOF
chmod +x memory_optimized_scan.sh
echo "Memory optimization complete"
}
# Run optimizations
optimize_cloudsploit_performance
optimize_memory_usage
Guide de dépannage
#!/bin/bash
# CloudSploit troubleshooting guide
troubleshoot_cloudsploit() {
echo "CloudSploit Troubleshooting Guide"
echo "================================="
# Check Node.js installation
if ! command -v node &> /dev/null; then
echo "❌ Node.js not found"
echo "Solution: Install Node.js 14 or later"
echo " curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -"
echo " sudo apt-get install -y nodejs"
return 1
fi
node_version=$(node --version | sed 's/v//')
echo "✅ Node.js found: v$node_version"
# Check npm installation
if ! command -v npm &> /dev/null; then
echo "❌ npm not found"
echo "Solution: Install npm"
echo " sudo apt-get install -y npm"
return 1
fi
echo "✅ npm found: $(npm --version)"
# Check CloudSploit installation
if [ ! -f "index.js" ]; then
echo "❌ CloudSploit not found in current directory"
echo "Solution: Clone CloudSploit repository"
echo " git clone https://github.com/aquasecurity/cloudsploit.git"
echo " cd cloudsploit && npm install"
return 1
fi
echo "✅ CloudSploit found"
# Check dependencies
if [ ! -d "node_modules" ]; then
echo "⚠️ Dependencies not installed"
echo "Solution: Install dependencies"
echo " npm install"
else
echo "✅ Dependencies installed"
fi
# Check cloud credentials
echo ""
echo "Checking cloud credentials..."
# AWS credentials
if aws sts get-caller-identity > /dev/null 2>&1; then
echo "✅ AWS credentials configured"
else
echo "⚠️ AWS credentials not configured or invalid"
echo "Solution: Configure AWS credentials"
echo " aws configure"
echo " or set environment variables:"
echo " export AWS_ACCESS_KEY_ID=your-key"
echo " export AWS_SECRET_ACCESS_KEY=your-secret"
fi
# Azure credentials
if az account show > /dev/null 2>&1; then
echo "✅ Azure credentials configured"
else
echo "⚠️ Azure credentials not configured"
echo "Solution: Login to Azure"
echo " az login"
fi
# GCP credentials
if gcloud auth list --filter=status:ACTIVE --format="value(account)" | head -n1 > /dev/null 2>&1; then
echo "✅ GCP credentials configured"
else
echo "⚠️ GCP credentials not configured"
echo "Solution: Authenticate with GCP"
echo " gcloud auth login"
echo " or set service account key:"
echo " export GOOGLE_APPLICATION_CREDENTIALS=path/to/key.json"
fi
# Test basic functionality
echo ""
echo "Testing basic functionality..."
if node index.js --help > /dev/null 2>&1; then
echo "✅ CloudSploit help command works"
else
echo "❌ CloudSploit help command failed"
echo "Solution: Check Node.js version and dependencies"
fi
# Check system resources
echo ""
echo "Checking system resources..."
available_memory=$(free -m | awk 'NR==2{printf "%.1f", $7/1024}')
if (( $(echo "$available_memory < 1.0" | bc -l) )); then
echo "⚠️ Low available memory: ${available_memory}GB"
echo "Recommendation: Ensure at least 2GB available memory for large scans"
else
echo "✅ Available memory: ${available_memory}GB"
fi
# Check disk space
disk_usage=$(df . | tail -1 | awk '{print $5}' | sed 's/%//')
if [ "$disk_usage" -gt 90 ]; then
echo "⚠️ High disk usage: ${disk_usage}%"
echo "Solution: Free up disk space"
else
echo "✅ Disk usage: ${disk_usage}%"
fi
echo ""
echo "Troubleshooting completed"
}
# Common error solutions
fix_common_errors() {
echo "Common CloudSploit Errors and Solutions"
echo "======================================"
cat << 'EOF'
1. "Error: Cannot find module 'xyz'"
Solution:
- Run: npm install
- If still failing: rm -rf node_modules && npm install
2. "AWS credentials not configured"
Solution:
- Run: aws configure
- Or set environment variables:
export AWS_ACCESS_KEY_ID=your-key
export AWS_SECRET_ACCESS_KEY=your-secret
3. "Request timeout" or "Connection timeout"
Solution:
- Increase timeout in configuration
- Check internet connectivity
- Reduce parallelism: --parallel 5
4. "Memory allocation failed" or "Out of memory"
Solution:
- Increase Node.js memory: export NODE_OPTIONS="--max-old-space-size=4096"
- Scan fewer regions at once
- Use memory-optimized scanning script
5. "Permission denied" errors
Solution:
- Check IAM permissions for AWS
- Ensure service principal has required roles for Azure
- Verify service account permissions for GCP
6. "Plugin not found" or "Plugin failed"
Solution:
- Check plugin name spelling
- Update CloudSploit: git pull && npm install
- Disable problematic plugins: --ignore-plugins plugin-name
7. "JSON parse error" in output
Solution:
- Check for mixed output formats
- Ensure clean JSON output: --format json
- Redirect stderr: 2>/dev/null
8. "Rate limiting" or "API throttling"
Solution:
- Reduce parallelism: --parallel 5
- Add delays between API calls
- Use multiple API keys/accounts
9. "SSL/TLS certificate errors"
Solution:
- Update Node.js and npm
- Set NODE_TLS_REJECT_UNAUTHORIZED=0 (not recommended for production)
- Update system certificates
10. "Scan takes too long" or "Hangs"
Solution:
- Use region filtering: --region us-east-1
- Disable slow plugins
- Monitor with timeout: timeout 1800 node index.js ...
EOF
}
# Performance diagnostics
diagnose_performance() {
echo "Diagnosing CloudSploit Performance"
echo "=================================="
# Test scan performance
echo "Running performance test..."
start_time=$(date +%s.%N)
# Run a simple scan
timeout 60 node index.js --cloud aws --region us-east-1 --plugins iam/rootAccessKeys --format json > /dev/null 2>&1
exit_code=$?
end_time=$(date +%s.%N)
duration=$(echo "$end_time - $start_time" | bc)
if [ $exit_code -eq 0 ]; then
echo "✅ Performance test completed in ${duration}s"
elif [ $exit_code -eq 124 ]; then
echo "⚠️ Performance test timed out (>60s)"
echo "Recommendation: Check network connectivity and API performance"
else
echo "❌ Performance test failed"
echo "Recommendation: Check configuration and credentials"
fi
# Check Node.js performance
node_memory=$(node -e "console.log(process.memoryUsage().heapUsed / 1024 / 1024)")
echo "Node.js memory usage: ${node_memory}MB"
# System load
load_avg=$(uptime | awk -F'load average:' '{print $2}' | awk '{print $1}' | sed 's/,//')
echo "System load average: $load_avg"
# Recommendations
echo ""
echo "Performance Recommendations:"
echo "- Use region filtering for faster scans"
echo "- Disable unnecessary plugins"
echo "- Increase Node.js memory for large environments"
echo "- Use SSD storage for better I/O performance"
echo "- Monitor API rate limits"
}
# Main troubleshooting function
main() {
troubleshoot_cloudsploit
echo ""
fix_common_errors
echo ""
diagnose_performance
}
# Run troubleshooting
main
Ressources et documentation
Ressources officielles
- Résumé de CloudSploy GitHub - Code source et documentation
- [Documentation de sécurité Aqua] (LINK_12) - Documentation officielle de sécurité Aqua
- [Documentation du plugin CloudSploy] (LINK_12) - Référence du plugin
- [CloudSploy Wiki] (LINK_12) - Documentation communautaire
Ressources communautaires
- Problèmes de déploiement de nuages - Rapports de bogues et demandes de fonctionnalités
- Aqua Security Community - Forums et ressources communautaires
- Cloud Security Alliance - Meilleures pratiques en matière de sécurité dans le cloud
- OWASP Cloud Security - Lignes directrices sur la sécurité dans le cloud
Exemples d'intégration
- [Exemples d'intégration IC/CD] (LINK_12) - Exemples officiels d'intégration
- [Intégration Terraform] (LINK_12) - Fournisseur Terraform pour Aqua Security
- Intégration Kubernetes - Numérisation de sécurité Kubernetes
- [Intégration Docker] (LINK_12) - Numérisation de la sécurité du conteneur