Speed up deployments by creating production-ready waiver files from real-world baseline InSpec reports.
In setting up demos and POC's I found myself needing to come up with many InSpec waiver files in order to make the consoles attractive and blue. To expedite the process, I created the script that passes through a YAML-formatted InSpec report searching for profiles and failed controls.
If at least one failed control is found, the script creates a new waiver file with a generic waiver for each unique failed control.
For added flexibility, the user is given the option to adjust the expiration period, the justification string, and the test run value that will be used for each of the waivers.
Depends on: Python3, PyYAML
Usage: waiverfy.py
$ ./waiverfy.py sample-reports/k8s-latest.yaml k8s-waiver.yml
Welcome to the waiverfy script.
This script will generate a waiver file based on the failed controls in a report.
Report file located.
Checking sample-reports/k8s-latest.yaml for failed controls...
Failed controls found in the report.
Preparing waiver file...
Choose the default waiver expiration date:
1. 90 days
2. 6 months
3. 12 months
4. 18 months
5. custom date
Enter the number corresponding to your choice [1]:
Default justification: Under review by security team
Do you want to update the justification? (y/n):
Should InSpec run tests for waived controls? (y/n):
InSpec will run tests for waived controls.
Generating waivers based on sample-reports/k8s-latest.yaml...
Found Profile Name: inspec-k8s-sample
Profile Title: InSpec K8s Profile
Control ID: k8s-1.0, Status: passed
Control ID: k8s-1.0, Status: passed
Control ID: k8s-1.0, Status: passed
Control ID: k8s-1.1, Status: failed
Waiver for Control ID: k8s-1.1 written to k8s-waiver.yml
Control ID: k8s-1.2, Status: passed
Control ID: k8s-1.3, Status: passed
Control ID: k8s-1.4, Status: passed
Control ID: k8s-1.4, Status: passed
Control ID: k8s-1.5, Status: failed
Waiver for Control ID: k8s-1.5 written to k8s-waiver.yml
Found Profile Name: inspec-k8s
Profile Title: InSpec Profile
2 waivers written to k8s-waiver.yml based on sample-reports/k8s-latest.yaml
Thanks for using my waiverfy script!
[~/repos/chef-cft/waiverfy]$
[~/repos/chef-cft/waiverfy]$ cat k8s-waiver.yml
# This is an InSpec waiver file generated by the waiverfy script.
# Originally generated from a report named: sample-reports/k8s-latest.yaml
# Found Profile Name: inspec-k8s-sample
# Profile Title: InSpec K8s Profile
# Control Title: Validate Storage Provisioner
k8s-1.1:
expiration_date: 2024-06-26
justification: Under review by security team
run: yes
# Control Title: Check Network Policy
k8s-1.5:
expiration_date: 2024-06-26
justification: Under review by security team
run: yes
# Found Profile Name: inspec-k8s
# Profile Title: InSpec Profile
[~/repos/chef-cft/waiverfy]$ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.