Skip to content

feat(security): add CloudWatch logging and VPC flow log rules, expand…#10

Merged
oguarni merged 1 commit intomasterfrom
cloud-rules-7d-ml
Mar 9, 2026
Merged

feat(security): add CloudWatch logging and VPC flow log rules, expand…#10
oguarni merged 1 commit intomasterfrom
cloud-rules-7d-ml

Conversation

@oguarni
Copy link
Copy Markdown
Owner

@oguarni oguarni commented Mar 9, 2026

… ML to 7D

  • Add check_missing_logging(): flags HIGH when infrastructure resources exist with no aws_cloudtrail or aws_cloudwatch_log_group present
  • Add check_missing_vpc_flow_logs(): flags MEDIUM when aws_vpc exists without a corresponding aws_flow_log resource
  • Wire both new checks into SecurityRuleEngine.analyze() with severity override support via settings.severity_overrides Dict[str, str]
  • Add severity_overrides field to Settings (default empty, no breaking change)
  • Expand ML feature vector from 5D to 7D (missing_logging, missing_flow_logs)
  • Update _validate_features bounds, _format_features names, empty-vector default in IntelligentSecurityScanner._extract_features()
  • Expand ml_model._train_baseline_model() baseline patterns, noise generation, edge cases, and feature_ranges metadata to 7 columns
  • Delete stale 5D model artifacts and retrain fresh 7D baseline
  • Update test_files/vulnerable.tf: add aws_vpc without flow logs (fires both rules)
  • Update test_files/secure.tf: add aws_vpc + aws_flow_log + aws_cloudtrail
    • aws_cloudwatch_log_group (no new rules fire)
  • Update test_files/mixed.tf: add aws_vpc + aws_cloudtrail without aws_flow_log (only missing_vpc_flow_logs fires)
  • New tests/test_security_rules_logging.py: 12 focused unit tests covering check_missing_logging, check_missing_vpc_flow_logs, severity overrides, and boundary/empty cases
  • Update test_security_scanner.py: fix 4 pre-existing rule engine tests to filter by message keyword (not brittle total count), update feature extraction assertion from 5D to 7D, fix format_features expected dict, update all ml_predictor test inputs to 7D arrays
  • All 318 tests pass, flake8 clean

@oguarni
feat(security): add CloudWatch logging and VPC flow log rules, expand…
17b0119 
… ML to 7D

- Add check_missing_logging(): flags HIGH when infrastructure resources
  exist with no aws_cloudtrail or aws_cloudwatch_log_group present
- Add check_missing_vpc_flow_logs(): flags MEDIUM when aws_vpc exists
  without a corresponding aws_flow_log resource
- Wire both new checks into SecurityRuleEngine.analyze() with severity
  override support via settings.severity_overrides Dict[str, str]
- Add severity_overrides field to Settings (default empty, no breaking change)
- Expand ML feature vector from 5D to 7D (missing_logging, missing_flow_logs)
- Update _validate_features bounds, _format_features names, empty-vector
  default in IntelligentSecurityScanner._extract_features()
- Expand ml_model._train_baseline_model() baseline patterns, noise
  generation, edge cases, and feature_ranges metadata to 7 columns
- Delete stale 5D model artifacts and retrain fresh 7D baseline
- Update test_files/vulnerable.tf: add aws_vpc without flow logs (fires both rules)
- Update test_files/secure.tf: add aws_vpc + aws_flow_log + aws_cloudtrail
  + aws_cloudwatch_log_group (no new rules fire)
- Update test_files/mixed.tf: add aws_vpc + aws_cloudtrail without
  aws_flow_log (only missing_vpc_flow_logs fires)
- New tests/test_security_rules_logging.py: 12 focused unit tests covering
  check_missing_logging, check_missing_vpc_flow_logs, severity overrides,
  and boundary/empty cases
- Update test_security_scanner.py: fix 4 pre-existing rule engine tests
  to filter by message keyword (not brittle total count), update feature
  extraction assertion from 5D to 7D, fix format_features expected dict,
  update all ml_predictor test inputs to 7D arrays
- All 318 tests pass, flake8 clean
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 9, 2026

TerraSafe Security Scan Results

Threshold: 70 | Status: ❌ FAILED

File Score Vulnerabilities Status
test_files/secure.tf 18 0 PASS
test_files/mixed.tf 37 3 PASS
test_files/vulnerable.tf 81 8 FAIL

Summary: 1/3 files exceed threshold (max score: 81)

Details for test_files/mixed.tf (score: 37)
  • MEDIUM: [MEDIUM] HTTP/HTTPS port 80 open to internet
  • MEDIUM: [MEDIUM] S3 bucket with partial public access
  • MEDIUM: [MEDIUM] Missing VPC flow logs - aws_vpc present but no aws_flow_log detected
Details for test_files/vulnerable.tf (score: 81)
  • CRITICAL: [CRITICAL] Open security group - SSH port 22 exposed to internet
  • MEDIUM: [MEDIUM] HTTP/HTTPS port 80 open to internet
  • CRITICAL: [CRITICAL] Hardcoded password detected
  • HIGH: [HIGH] Unencrypted RDS instance
  • HIGH: [HIGH] Unencrypted EBS volume
  • HIGH: [HIGH] S3 bucket with public access enabled
  • HIGH: [HIGH] Missing logging - no CloudTrail or CloudWatch log group detected
  • MEDIUM: [MEDIUM] Missing VPC flow logs - aws_vpc present but no aws_flow_log detected

@oguarni oguarni merged commit 4a9a6da into master Mar 9, 2026
8 checks passed
oguarni added a commit that referenced this pull request Mar 20, 2026
@oguarni
Merge pull request #10 from oguarni/cloud-rules-7d-ml
3eb6faf 
feat(security): add CloudWatch logging and VPC flow log rules, expand…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oguarni