h-lSrSSKJrJrJrJrJrJrJr SSK J r SSK J r SSK JrJrJr SSKJrJr SSKrSSKrSSKrSSKrSSKJrJrJr SSKrSS KJr \"5 \"\5r\R@"S S 5\RBS '\R@"S S 5\RBS'S\RBS'\ "\5r"\ "\\"5r#\RH"\RJS9 \RL"\5r'SSK(J)r)J*r*J+r+J,r,J-r- SSK.J/r/ \/"\5 SSK0J1r1 \Re\1SS9 "SS5r3"SS5r4\4"5r5\RmS5S5r7\RmS5\S55r8\RmSS S!/S"9\S#55r9\RmS$5\S%55r:\RmS&5\S'55r;\RmS(5\S)55r<\RmS*5\S+55r=\R}S,5S-5r?\R}S.5S/5r@\S0:Xa;\R5 \"R5 SSS5 \RS1S2S3S49 gg!,(df  N!=f)5z DevSecOps Pipeline Security Maturity Assessor Main Flask application for assessing CI/CD pipeline security maturity. Author: Mitchele Jebet License: MIT )Flaskrequestjsonifyrender_templateflashredirecturl_for) SQLAlchemy)Migrate) LoginManagerlogin_required current_user)datetimetimezoneN)DictListAny) load_dotenv SECRET_KEYzdev-key-change-in-production DATABASE_URLzsqlite:///devsecops_assessor.dbSQLALCHEMY_DATABASE_URIFSQLALCHEMY_TRACK_MODIFICATIONS)level)User Organization Assessment SubscriptionInvoice) init_auth) billing_bpz/billing) url_prefixc \rSrSrSrSS/SQS.SS/S QS.S S/S QS.S S/S QS.SS/SQS.SS/SQS.S.rSSS.SSS.SSS.SSS.SSS.S.r\S \S!\ 4S"j5r S#r g$)%SecurityMaturityFramework4z/Core framework for assessing DevSecOps maturityzSource Code Securityg?)dependency_scanningsecret_detection sast_toolscode_quality_gates)nameweightcheckszBuild Securityg333333?)secure_build_environmentartifact_signingbuild_reproducibilitysupply_chain_securityzDeployment Security)infrastructure_as_codecontainer_scanningdeployment_approval_gatesenvironment_isolationzRuntime Security)monitoring_loggingincident_responsevulnerability_managementsecurity_testingzCompliance & Governance)policy_as_code audit_trailscompliance_reportingaccess_controlszCulture & Trainingg?)security_championstraining_programssecurity_reviewsknowledge_sharing)source_code_securitybuild_securitydeployment_securityruntime_securitycompliance_governanceculture_trainingInitialz,Ad-hoc security practices, reactive approach)r) description Developingz Basic security tools implementedDefinedz+Documented security processes and standardsManagedz$Metrics-driven security improvements Optimizedz/Continuous security optimization and innovation)rscorereturncnUS:aSnOUS:aSnOUS:aSnO US:aSnOS nX RU4$) z'Calculate maturity level based on scoreZrOKrN<rM(rLr)MATURITY_LEVELS)clsrPrs $/home/kali/devsecops-assessor/app.pycalculate_maturity_level2SecurityMaturityFramework.calculate_maturity_level~sM B;E b[E b[E b[EE))%000N) __name__ __module__ __qualname____firstlineno____doc__ CATEGORIESrW classmethodfloattuplerZ__static_attributes__r]r\rYr#r#4s9+ ! %  * '  . " )  g=J@.\ ] 1S T.[ \.T U0a b O 1U 1u 1 1r\r#c \rSrSrSrSrSS\S\S\\\44Sjjr SS\S\S\\\44S jjr S \\\4S\\\44S jr S \\\4S\\\44S jr S \\\4S\\\44S jr S \\\4S\\\44SjrS \\\4S\\\44SjrS \\\4S\\\44SjrS \\\4S\\\44SjrS\\\4S\\\44SjrSrg)PipelineAnalyzerz.Analyzes CI/CD pipelines for security maturityc"[5UlgN)r# framework)selfs rY__init__PipelineAnalyzer.__init__s 24r\Nrepo_urltokenrQcURSS5RS5nUSUSpT0nU(aSU3US'SUSUS 3n[R"XvS 9nURS :waS S UR30$UR 5n 0n U Hn U SR S5(dM[R"U S5n U RS :XdMI[R"U R5n URU 5XS'M URU 5$![a8n[RS[U535 S [U50sSnA$SnAff=f)zAnalyze GitHub Actions pipelinezhttps://github.com//rrLztoken Authorizationzhttps://api.github.com/repos/z/contents/.github/workflowsheaderserrorzFailed to access repository: r))z.ymlz.yaml download_urlz!Error analyzing GitHub pipeline: N)replacesplitrequestsget status_codejsonendswithyaml safe_loadtext_analyze_workflow_content_calculate_overall_scores Exceptionloggerrzstr)rnrqrrpartsownerreporx workflows_urlresponse workflowsanalysis_results workflow_filecontent_responseworkflow_contentes rYanalyze_github_pipeline(PipelineAnalyzer.analyze_github_pipelinesk! %$$%:B?EEcJE(E!H4G-3E7+;(>:J:O:O+P(BFB`B`aqBr(v)>? "+112BC C % LLURSS5RSS5n0nU(aX$S'SUS3n[R"XTS9nURS :waSUS 3n[R"XTS9nURS :waS S UR30$[R "UR 5nS URU50nURU5$![a8n [RS[U 535 S [U 50sSn A $Sn A ff=f)zAnalyze GitLab CI pipelinezhttps://gitlab.com/rtruz%2Fz PRIVATE-TOKENz#https://gitlab.com/api/v4/projects/z-/repository/files/.gitlab-ci.yml/raw?ref=mainrwryz//repository/files/.gitlab-ci.yml/raw?ref=masterrzz!Failed to access .gitlab-ci.yml: z gitlab-ci.ymlz!Error analyzing GitLab pipeline: N) r|r~rrrrrrrrrrzr) rnrqrr project_pathrxfile_urlrpipeline_contentrrs rYanalyze_gitlab_pipeline(PipelineAnalyzer.analyze_gitlab_pipelines %#++,A2FNNsTYZLG+0(=\NJwxH||H>H##s*@N}~#<<B##s*#DXEYEYDZ![\\#~~hmm<  /1O1OP`1ab 112BC C % LL$>w$G !*.)H)H)Q%&'+&B&B7&K"#,0+L+LW+U'('+&B&B7&K"#r\c|^ SnSn/n/n[U5R5m /SQn[U 4SjU55(aUS- nURS5 OURS5 /SQn[U 4S jU55(aUS- nURS 5 OURS 5 /S Qn[U 4S jU55(aUS- nURS5 OURS5 [U 4SjS55(aUS- nURS5 OURS5 UUUUS.$)z$Check source code security practicesrr)z npm auditz yarn auditz pip-auditsafetysnyk dependabotc3,># UH oT;v M g7frlr].0tool content_strs rY ?PipelineAnalyzer._check_source_code_security..s@/?t{"/?u ✅ Dependency scanning detectedu4🔧 Add dependency scanning (npm audit, Snyk, etc.)) trufflesecgitleakszdetect-secretsz git-secretsc3,># UH oT;v M g7frlr]rs rYrr s<|t{"|ru✅ Secret detection configuredu🔧 Add secret detection tools) sonarqubecodeqlsemgrepbanditeslintc3,># UH oT;v M g7frlr]rs rYrrs:zt{"zru4✅ Static Analysis Security Testing (SAST) detectedu🔧 Implement SAST toolsc3,># UH oT;v M g7frlr])rgaters rYrrsi/ht{"/hr)z quality gatez security gatezfail on thresholdu✅ Quality gates configuredu🔧 Add security quality gatesrrloweranyappend) rnrrPrrrdependency_tools secret_toolsr'rs @rYr,PipelineAnalyzer._check_source_code_securitys6 'l((* d @/?@ @ @ RKE OO> ?  " "#Y ZS <|< < < RKE OO= >  " "#D EL :z: : : RKE OOR S  " "#> ? i/hi i i RKE OO: ;  " "#D E" .   r\cd^SnSn/n/n[U5R5m[U4SjS55(aUS- nURS5 OURS5 [U4SjS 55(aUS - nURS 5 OURS 5 [U4S jS55(aUS- nURS5 OURS5 [U4SjS55(aUS- nURS5 OURS5 UUUUS.$)zCheck build security practicesrrc3,># UH oT;v M g7frlr]rkeywordrs rYr9PipelineAnalyzer._check_build_security..2sg5f'+%5fr)zruns-on: ubuntu-latestzimage: containerru+✅ Containerized/managed build environmentu#🔧 Use managed build environmentsc3,># UH oT;v M g7frlr]rs rYrr9sU/Tt{"/Tr)cosignsigstoregpgsignru✅ Artifact signing detectedu🔧 Implement artifact signingc3,># UH oT;v M g7frlr]rs rYrr@sK/Jt{"/Jr)sbomsyftcycloneu0✅ Software Bill of Materials (SBOM) generationu(🔧 Generate Software Bill of Materialsc3,># UH oT;v M g7frlr]rs rYrrGsQ5P'+%5Pr)cachelockpinnedru+✅ Build reproducibility measures detectedu3🔧 Implement build caching and dependency pinningrrrnrrPrrrrs @rYr&PipelineAnalyzer._check_build_security(s% 'l((*  g5fg g g RKE OOI J  " "#H I U/TU U U RKE OO; <  " "#D E K/JK K K RKE OON O  " "#M N Q5PQ Q Q RKE OOI J  " "#X Y" .   r\cd^SnSn/n/n[U5R5m[U4SjS55(aUS- nURS5 OURS5 [U4SjS 55(aUS - nURS 5 OURS 5 [U4S jS55(aUS - nURS5 OURS5 [U4SjS55(aUS- nURS5 OURS5 UUUUS.$)z#Check deployment security practicesrrc3,># UH oT;v M g7frlr]rs rYr>PipelineAnalyzer._check_deployment_security..^sd/ct{"/cr) terraformcloudformationpulumiansibleru#✅ Infrastructure as Code detectedu%🔧 Implement Infrastructure as Codec3,># UH oT;v M g7frlr]rs rYrresZ/Yt{"/Yr)trivyclairanchore twistlockru✅ Container security scanningu$🔧 Add container security scanningc3,># UH oT;v M g7frlr]rs rYrrlse5d'+%5dr) environmentapprovalmanualreviewu✅ Deployment approval processu#🔧 Implement deployment approvalsc3,># UH oT;v M g7frlr]rs rYrrs^5]'+%5]r)staging productiondevtestru#✅ Environment separation detectedu+🔧 Implement proper environment isolationrrrs @rYr+PipelineAnalyzer._check_deployment_securityTs% 'l((*  d/cd d d RKE OOA B  " "#J K Z/YZ Z Z RKE OO= >  " "#I J e5de e e RKE OO= >  " "#H I ^5]^ ^ ^ RKE OOA B  " "#P Q" .   r\c^SnSn/n/n[U5R5m[U4SjS55(aUS- nURS5 OURS5 [U4SjS 55(aUS - nURS 5 OURS 5 [U4S jS55(aUS - nURS5 OURS5 UUUUS.$)z Check runtime security practicesrrc3,># UH oT;v M g7frlr]rs rYr;PipelineAnalyzer._check_runtime_security..sj/it{"/ir)datadognewrelicelasticsplunk prometheusru%✅ Monitoring and logging configuredu'🔧 Implement comprehensive monitoringc3,># UH oT;v M g7frlr]rs rYrrsg/ft{"/fr)zapburpdast penetrationz security test#u✅ Dynamic security testingu(🔧 Add dynamic security testing (DAST)c3,># UH oT;v M g7frlr]rs rYrrsa5`'+%5`r) vulnerabilitycvepatchupdateu$✅ Vulnerability management processu'🔧 Implement vulnerability managementrrrs @rYr(PipelineAnalyzer._check_runtime_securitys 'l((*  j/ij j j RKE OOC D  " "#L M g/fg g g RKE OO: ;  " "#M N a5`a a a RKE OOB C  " "#L M" .   r\cd^SnSn/n/n[U5R5m[U4SjS55(aUS- nURS5 OURS5 [U4SjS 55(aUS - nURS 5 OURS 5 [U4S jS55(aUS- nURS5 OURS5 [U4SjS55(aUS- nURS5 OURS5 UUUUS.$)z)Check compliance and governance practicesrrc3,># UH oT;v M g7frlr]rs rYr@PipelineAnalyzer._check_compliance_governance..s[/Zt{"/Zr)opa gatekeeperpolicyconftestr u!✅ Policy as Code implementationu🔧 Implement Policy as Codec3,># UH oT;v M g7frlr]rs rYrrsY5X'+%5Xr)auditlogtracerecordru✅ Audit trail capabilitiesu&🔧 Enable comprehensive audit trailsc3,># UH oT;v M g7frlr]rs rYrrsf5e'+%5er)report compliancesocgdprhipaaru!✅ Compliance reporting detectedu🔧 Add compliance reportingc3,># UH oT;v M g7frlr]rs rYrrrr)rbac permissionroleaccessu✅ Access control measuresu%🔧 Implement proper access controlsrrrs @rYr-PipelineAnalyzer._check_compliance_governances% 'l((*  [/Z[ [ [ RKE OO? @  " "#B C Y5XY Y Y RKE OO: ;  " "#K L f5ef f f RKE OO? @  " "#B C ^5]^ ^ ^ RKE OO9 :  " "#J K" .   r\c&SnSnS/n/SQnUUUUS.$)z%Check culture and training indicators2ru0ℹ️ Culture assessment requires manual review)u)🔧 Establish security champions programu)🔧 Implement security training programsu$🔧 Regular security design reviewsrr])rnrrPrrrs rYr(PipelineAnalyzer._check_culture_trainings3 FG " .   r\rcSU;aU$0nSnURRR5HRupESnSnUR5HupXI;dM XiUS- nUS- nM US:dM@Xg- n XU'X:US-- nMT URRU5up[ US5U U UU[ R "[R5R5S.$)z!Calculate weighted overall scoresrzrrPrLr*rM) overall_scorematurity_level maturity_infocategory_scoresdetailed_resultsanalysis_timestamp) rmrcitemsrZroundrnowrutc isoformat) rnrr0overall_weighted_scorerconfigcategory_totalcategory_count workflow_nameworkflow_results category_avgr.r/s rYr*PipelineAnalyzer._calculate_overall_scoress & &# #!"!% 9 9 ? ? A HNN3C3I3I3K/ /"x&@&IIN"a'N4L !-> ,8)&9I*II&!B)-(O(OPf(g%##91=,*. 0"*,,x||"<"F"F"H   r\)rmrl)r^r_r`rarbrorrrrrrrrrrrrrrgr]r\rYririsx85#%#%C#%4PSUXPX>#%J%%C%4PSUXPX>%>c3hDcNB- 4S>- d3PS8n- ^* T#s(^* S#X* X* $sCx.* T#s(^* X# tCH~# $sCx.# J* DcN* tCQTH~* X tCH~ $sCx. $! $sCx.! TRUWZRZ^! r\rirucj[R(a[[S55$[ S5$)z Home page dashboardz landing.html)ris_authenticatedrr rr]r\rYindexrC s($$ ,-- > **r\z /dashboardc@[Rn[RR UR S9R 5n[RR[RR[R55R UR S9R5nU(a [US5OSn/n[RR UR S9R[RR!55R#5nU(aTUR$(aC[&R("UR$5nSU;a[+USR-55nUUUS.n[RR UR S9R[RR!55R1S5R35n[5SXxS9$![&R.a Nf=f) zDashboard pageorganization_idrMrr0)total_assessments average_scorer0zdashboard.html)statsrecent_assessments)r organizationrquery filter_byidcountdbsessionfuncavgr-scalarr4order_by created_atdescfirstassessment_datarloadslistvaluesJSONDecodeErrorlimitallr) orgrGavg_score_query avg_scorer0recent_assessmentrZrJrKs rYrArAs  # #C#((223662JPPRjj&&rww{{:3K3K'LMWWhkhnhnWovvxO-<oq)!IO"((223662JSST^TiTiTnTnTpqwwy.>> "jj):)J)JKO O3"&7H'I'P'P'R"S /"* E $))33CFF3KTTU_UjUjUoUoUqrxxyz{B +5 ``##   sAHHHz/assessment/newGETPOST)methodsc `[RS:XGa[[R(a[R"5O[Rn[ R nURSS5R5nURSS5R5nURSS5R5nURSS5R5n[X#U/5(d[SS05S 4$UR5(d[SS 05S 4$US :Xa[RX55nO+US :Xa[RX55nO[SS05S 4$SU;a[SUS05S 4$[UR UUUUSUSSR#5[$R&"U5S9n[(R*R-U5 U=R.S- sl[(R*R15 [R(a[UR US.5$[3SS5 [5[7SUR S95$[CS5$![8an[:R=S[?U535 [(R*RA5 [R(a[S[?U505S4sSnA$[3S[?U53S5 [5[7S55sSnA$SnAff=f)zCreate new assessmentrf project_namertrepository_urlplatformrrrzzAll fields are requirediz Monthly assessment limit reachedgithubgitlabzUnsupported platformr-r/r))rFr)rjrkr-r.rZrL) assessment_idrz"Assessment completed successfully!successview_assessment)rozError creating assessment: NzError: new_assessmentznew_assessment.html)"rmethodis_jsonget_jsonformrrLrstripr`rcan_create_assessmentanalyzerrrrrOrrdumpsrQrRaddmonthly_assessments_usedcommitrrr rrrzrrollbackr) datarLrirqrkrrr assessmentrs rYrsrs2s~~@ ;)07##%gllD(44L 88NB7==?Lxx 0"5;;=Hxx B/557HHHWb)//1E 9::)BCDcII 5577)KLMsRR8#"::8KX%"::8K)?@A3FF'!)9:;S@@$ ,!'!%o6&7?EEG $ 7 3J JJNN: &  1 1Q 6 1 JJ   %/]]&  :IF(9 WXX 0 11 ; LL6s1vh? @ JJ   !Q01366Ax('2(8 9:: ;sKC*I<#I<&AI<-I<CI<(I<< L-A+L(1L-7+L("L-(L-z/assessment/c$[RRU5nUR[R:wa [ SS5 [ [S55$[R"UR5n[SUU[5S9$)zView assessment resultszAccess denied.rzrAzassessment_results.html)rrrm) rrM get_or_404rFrrrr rr[rZrr#rorrs rYrqrq{s}!!,,];J!!\%A%AA ( ,--jj334G 4$.!(#<#> @@r\z/assessment/listc[RR[RS9R [R R55R5n[SUS9$)z)List all assessments for the organizationrEzassessment_list.html assessments) rrMrNrrFrVrWrXr`rrs rYlist_assessmentsrsU"",,\=Y=Y,Z"*(:+@+@+E+E+G"H 1{ KKr\z#/api/assessment/c [RRU5nUR[R:wa[ SS05S4$[ R"UR5n[ URURURRURURURURUR R#5US. 5$)z API endpoint for assessment datarzz Access deniedrl) rOrirLrjrkr-r.rWr)rrMrrFrrrr[rZrOr)rLrjrkr-r.rWr7rs rYapi_assessmentrs!!,,];J!!\%A%AA12C77jj334G mm""//44$33''#11$33 ++557   r\z/api/organizations/assessmentsc [Rn[RR UR S9R [RR55R5n[URUVs/sHKnUR URURURURR5S.PMM snS.5$s snf)z)API endpoint for organization assessmentsrE)rOrir-r.rW)rLr)rrLrrMrNrOrVrWrXr`rr)r-r.r7)rLras rYapi_org_assessmentsrs ,,L"",,\__,M"*(:+@+@+E+E+G"H $))!  ! dd !!""#"2"2ll446  !       sAC c[SSSS9S4$)N error.htmlrzPage not found error_code error_message)rrzs rY not_foundrs <$''7 9:= >>r\rrcX[RR5 [SSSS9S4$)NrrrzInternal server errorr)rQrRrrrs rYinternal_errorrs2JJ <$''> @AD EEr\__main__Tz0.0.0.0i)debughostport)Drbflaskrrrrrrr flask_sqlalchemyr flask_migrater flask_loginr r rrrosrrr~typingrrrloggingdotenvrr^appgetenvr9rQmigrate basicConfigINFO getLoggerrmodelsrrrrrauthrbillingr register_blueprintr#rirzrouterCrArsrqrrr errorhandlerrr app_context create_allrunr]r\rYrsUTT'!BB' ""  Ho99\3QR <(* .Bc(d $%/4 +,_ #r ',,'   8 $IH #zj9X1X1tv v r  3++ <aa> ufo6E27E2N ,-@.@  LL 012, +,-*#>> #EE z    GG$YTG2   s I// I=