Merge pull request #1 from DFE-Digital/auto-generate-common-assets-azure

Auto generate common assets azure

.github/workflows/build-and-push-docker-image.yaml

@@ -0,0 +1,47 @@
+name: Extend, build and push docker image
+
+on:
+  push:
+    branches: 
+      - 'main'
+    paths: 
+      - 'Dockerfile'
+      - '.github/workflows/build-and-push-docker-image.yaml'
+      - '*.py'
+      - 'yaml-templates/*'
+  schedule:
+    - cron: '0 8 * * *'
+  workflow_call:
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Docker login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/dfe-digital/automated-threat-models
+
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -1 +1,7 @@
-.DS_Store
+.DS_Store
+*.backup
+*.json
+venv/
+__pycache__/
+threagile-pre-risks.yaml
+*~$risks.xlsx

Dockerfile

@@ -0,0 +1,29 @@
+FROM threagile/threagile
+
+USER root
+
+WORKDIR /app
+
+RUN mkdir /app/yaml-templates && chown 1000:1000 /app/yaml-templates
+
+COPY --chown=1000:1000 build_data_assets.py /app/
+COPY --chown=1000:1000 build_tech_assets.py /app/
+COPY --chown=1000:1000 dfe_threagile.py /app/
+COPY --chown=1000:1000 produce_risk_tracker.py /app/
+COPY --chown=1000:1000 yaml-templates/data_assets_template.yaml /app/yaml-templates
+COPY --chown=1000:1000 yaml-templates/technical_asset_template.yaml /app/yaml-templates
+COPY --chown=1000:1000 yaml-templates/threagile-example-model-template.yaml /app/yaml-templates
+COPY --chown=1000:1000 yaml-templates/risks_template.yaml /app/yaml-templates
+
+COPY --chown=1000:1000 test-data.json /app/
+
+ENV PYTHONUNBUFFERED=1
+RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
+
+RUN python3 -m ensurepip
+
+RUN pip3 install --no-cache --upgrade pip setuptools
+
+RUN pip3 install jinja2
+
+USER 1000:1000

README.md

@@ -24,14 +24,34 @@ This method:
 
 ## Getting started with an initial threat model YAML
 
-### Pre-requisites
+### Pre-requisites (local)
 
-Before getting started, you will need to install:
+Before getting started, you will need to:
 
-* docker
-* python (optional - but will help in producing the mitigation plan risk tracker after your initial threat model has been created)
+* install docker
+* [pull the container image from GitHub Packages](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry) by:
+    * creating a personal access token with `read:packages` permission scoped to the DfE-Digital org
+    * setting your PAT token as an enviornment variable: `export CR_PAT=YOUR_TOKEN`
+    * logging in with docker: `echo $CR_PAT | docker login ghcr.io -u USERNAME --password-stdin`
+    * pulling the image: `docker pull ghcr.io dfe-digital/automated-threat-models`
+* data from Splunk regarding your Azure resources including: name, kind, type (s1XXX-functionX, functionapp, microsoft.web/sites) **note that this is to be automated in the next iteration**
 
-### Create a stub model and example model
+### Automated threat models (DfE)
+
+This project's main purpose is to enable DfE to run continuous automated threat models, which data can be ingested by the continuous assurance platform.
+
+The automated threat models will be kept in the [continuous assurance private repo](https://github.com/DFE-Digital/service-security-posture-hardening-private), which will query this project.
+
+The automation is based on dfe-threagile being able to read data regarding Azure resources in Splunk.
+
+Basic usage: 
+
+##### Run DfE automation
+```shell
+$ docker run --rm -it -v "$(pwd)":/app/work --entrypoint python dfe-digital/automated-threat-models dfe_threagile.py
+```
+
+### Create a stub model and example model (manual)
 
 It's advisable to create a stub and example model from threagile to give you a framework YAML file to work with and a thorough example with hints you can copy.
 

build_data_assets.py

@@ -0,0 +1,243 @@
+from jinja2 import Template
+
+
+def build_teacher_pii_data_asset() -> tuple:
+    data_asset_dict = {
+        "name": "teacher-pii",
+        "description": "Teachers personal information.",
+        "usage": "business",
+        "tags_list": ["teacher-pii", "database", "azure", "sensitive", "pii"],
+        "origin": "customer",
+        "owner": "DfE",
+        "quantity": "many",
+        "confidentiality": "confidential",
+        "integrity": "critical",
+        "availability": "operational",
+        "justification": "Teacher data might contain personally identifiable information (PII). The integrity and availability of teacher data is required for functioning of the service.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    teacher_pii_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, teacher_pii_tags
+
+
+def build_student_pii_data_asset() -> tuple:
+    data_asset_dict = {
+        "name": "student-pii",
+        "description": "Students personal information.",
+        "usage": "business",
+        "tags_list": ["student-pii", "database", "azure", "sensitive", "pii"],
+        "origin": "customer",
+        "owner": "DfE",
+        "quantity": "many",
+        "confidentiality": "confidential",
+        "integrity": "critical",
+        "availability": "operational",
+        "justification": "Student data might contain personally identifiable information (PII). The integrity and availability of student data is required for functioning of the service.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    student_pii_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, student_pii_tags
+
+
+def build_client_app_data_asset() -> tuple:
+    data_asset_dict = {
+        "name": "client-application-code",
+        "description": "Client application code such as JavaScript and HTML.",
+        "usage": "devops",
+        "tags_list": [
+            "client-application-code",
+            "github",
+            "git",
+            "code",
+            "html",
+            "javascript",
+        ],
+        "origin": "DfE",
+        "owner": "DfE",
+        "quantity": "very-few",
+        "confidentiality": "public",
+        "integrity": "critical",
+        "availability": "important",
+        "justification": "The integrity of the application code is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to ensure users are able to access the service.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    client_app_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, client_app_tags
+
+
+def build_server_app_data_asset() -> tuple:
+    data_asset_dict = {
+        "name": "server-application-code",
+        "description": "Server application code such as JavaScript and HTML.",
+        "usage": "devops",
+        "tags_list": ["server-application-code", "github", "git", "code", "ruby"],
+        "origin": "DfE",
+        "owner": "DfE",
+        "quantity": "very-few",
+        "confidentiality": "public",
+        "integrity": "mission-critical",
+        "availability": "important",
+        "justification": "The integrity of the API code is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to ensure users are able to access the service.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    server_app_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, server_app_tags
+
+
+def build_vulnerable_children_data_asset() -> tuple:
+    data_asset_dict = {
+        "name": "vulnerable-children-data",
+        "description": "Names, addresses and sensitive details of vulnerable children.",
+        "usage": "business",
+        "tags_list": [
+            "vulnerable-children-data",
+            "database",
+            "azure",
+            "sensitive",
+            "pii",
+        ],
+        "origin": "Customer",
+        "owner": "DfE",
+        "quantity": "many",
+        "confidentiality": "strictly-confidential",
+        "integrity": "mission-critical",
+        "availability": "critical",
+        "justification": "The data of vulnerable children is strictly confidential, and would cause serious harm if made public.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    vulnerable_children_data_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, vulnerable_children_data_tags
+
+
+def build_job_information_data_asset() -> tuple:
+    data_asset_dict = {
+        "name": "job-information",
+        "description": "Names, addresses and sensitive details of vulnerable children.",
+        "usage": "business",
+        "tags_list": ["job-information", "database", "azure", "public"],
+        "origin": "DfE",
+        "owner": "DfE",
+        "quantity": "many",
+        "confidentiality": "public",
+        "integrity": "important",
+        "availability": "operational",
+        "justification": "Job information is important but is public information in it's nature.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    job_info_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, job_info_tags
+
+
+def build_school_data_asset() -> tuple:
+    data_asset_dict = {
+        "name": "school-data",
+        "description": "School data, insights, statistics, and records.",
+        "usage": "business",
+        "tags_list": ["school-data", "database", "azure", "internal"],
+        "origin": "Schools",
+        "owner": "DfE",
+        "quantity": "very-many",
+        "confidentiality": "internal",
+        "integrity": "critical",
+        "availability": "operational",
+        "justification": "School data is collected to provide useful insights in how schools are doing from a social, financial and academic point of view, but most of this information is either already public or can be made available on request.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    school_data_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, school_data_tags
+
+
+def build_payment_details_asset() -> tuple:
+    data_asset_dict = {
+        "name": "payment-details",
+        "description": "Payment details to receive or send money to/from users.",
+        "usage": "business",
+        "tags_list": [
+            "payment-details",
+            "database",
+            "azure",
+            "sensitive",
+            "pci",
+            "bank-account-details",
+        ],
+        "origin": "Customer",
+        "owner": "DfE",
+        "quantity": "many",
+        "confidentiality": "strictly-confidential",
+        "integrity": "critical",
+        "availability": "important",
+        "justification": "Payment details could be PCI or bank account details, either to take payments or to send money to/from the customer.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    teacher_pii_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, teacher_pii_tags
+
+
+def build_secrets_asset() -> tuple:
+    data_asset_dict = {
+        "name": "secrets-and-api-keys",
+        "description": "Payment details to receive or send money to/from users.",
+        "usage": "business",
+        "tags_list": [
+            "secrets-and-api-keys",
+            "keyvault",
+            "azure",
+            "sensitive",
+            "azure-key-vault",
+        ],
+        "origin": "DfE",
+        "owner": "DfE",
+        "quantity": "many",
+        "confidentiality": "strictly-confidential",
+        "integrity": "critical",
+        "availability": "operational",
+        "justification": "Secrets and API keys are critical and would result in serious breach and reputational damage if found.",
+    }
+    template_file = open("yaml-templates/data_assets_template.yaml")
+    template_str = template_file.read()
+    data_asset_template = Template(template_str)
+    data_asset_yaml = data_asset_template.render(data_asset_dict)
+
+    teacher_pii_tags = data_asset_dict["tags_list"]
+
+    return data_asset_yaml, teacher_pii_tags