feat(security): inventory public gateway certificates

This commit is contained in:
ogt
2026-07-14 14:58:12 +08:00
parent 1cc0737529
commit 248cf07ce1
4 changed files with 427 additions and 2 deletions

View File

@@ -368,6 +368,8 @@ def _build_security_program_domains(
github_supply_chain_compliant_percent: int,
forbidden_github_supply_chain_asset_count: int,
package_digest_unpinned_count: int,
certificate_live_verified_percent: int,
certificate_live_unverified_count: int,
) -> list[dict[str, Any]]:
scope_by_id = {row["scope_id"]: row for row in asset_scopes}
function_by_id = {row["function_id"]: row for row in control_functions}
@@ -397,6 +399,11 @@ def _build_security_program_domains(
supply_chain_gap_code = "runtime_image_digest_pin_missing"
else:
supply_chain_gap_code = "sbom_signature_dependency_evidence_missing"
network_tls_gap_code = (
"certificate_live_tls_probe_missing"
if certificate_live_unverified_count > 0
else "network_dns_tls_runtime_evidence_missing"
)
domain_values = (
(
@@ -453,12 +460,13 @@ def _build_security_program_domains(
average(
100 if by_type.get("network", 0) > 0 else 0,
100 if by_type.get("certificate", 0) > 0 else 0,
certificate_live_verified_percent,
compliance_percent("ssl_cert_valid"),
),
by_type.get("network", 0)
+ by_type.get("certificate", 0)
+ compliance_total("ssl_cert_valid"),
"network_dns_tls_runtime_evidence_missing",
network_tls_gap_code,
),
(
"cloud_container_k8s",
@@ -675,6 +683,10 @@ def build_iwooos_security_asset_control_plane(
int(_value(row, "unpinned_package_count", 0) or 0)
for row in inventory_source
)
certificate_live_unverified_count = sum(
int(_value(row, "unverified_certificate_count", 0) or 0)
for row in inventory_source
)
present_types = {
asset_type for asset_type in _ASSET_TYPES if by_type.get(asset_type, 0) > 0
}
@@ -886,6 +898,15 @@ def build_iwooos_security_asset_control_plane(
forbidden_github_supply_chain_asset_count
),
package_digest_unpinned_count=package_digest_unpinned_count,
certificate_live_verified_percent=_percent(
max(
0,
by_type.get("certificate", 0)
- certificate_live_unverified_count,
),
by_type.get("certificate", 0),
),
certificate_live_unverified_count=certificate_live_unverified_count,
)
work_items: list[dict[str, Any]] = []
@@ -941,6 +962,20 @@ def build_iwooos_security_asset_control_plane(
),
)
)
if certificate_live_unverified_count > 0:
work_items.append(
_work_item(
"AIA-P0-006-02B",
"P0",
"certificate_live_verification",
"驗證 public TLS 憑證",
certificate_live_unverified_count,
(
"執行 bounded TLS handshake metadata probe驗證 hostname、"
"chain 與 expiry不得讀取 private key 或 certificate volume。"
),
)
)
if coverage_total == 0 or coverage_unknown > 0:
work_items.append(
_work_item(
@@ -1094,6 +1129,9 @@ def build_iwooos_security_asset_control_plane(
"forbidden_github_supply_chain_asset_count": (
forbidden_github_supply_chain_asset_count
),
"certificate_live_unverified_count": (
certificate_live_unverified_count
),
"automation_coverage_green_percent": _percent(
coverage_green, coverage_total
),
@@ -1176,6 +1214,22 @@ def build_iwooos_security_asset_control_plane(
"registry_api_called": False,
"github_api_used": False,
},
"certificate_inventory": {
"certificate_asset_count": by_type.get("certificate", 0),
"live_tls_verified_count": max(
0,
by_type.get("certificate", 0)
- certificate_live_unverified_count,
),
"live_tls_unverified_count": certificate_live_unverified_count,
"live_tls_health_proven": (
by_type.get("certificate", 0) > 0
and certificate_live_unverified_count == 0
),
"raw_certificate_path_returned": False,
"certificate_material_read": False,
"private_key_material_read": False,
},
"source_health": source_health_rows,
"work_items": work_items,
"boundaries": {
@@ -1217,6 +1271,7 @@ def build_unavailable_iwooos_security_asset_control_plane(
"relationship_count": 0,
"package_digest_unpinned_count": 0,
"forbidden_github_supply_chain_asset_count": 0,
"certificate_live_unverified_count": 0,
"automation_coverage_green_percent": 0,
"automation_coverage_unknown_count": 0,
"compliance_violation_count": 0,
@@ -1380,6 +1435,15 @@ def build_unavailable_iwooos_security_asset_control_plane(
"registry_api_called": False,
"github_api_used": False,
},
"certificate_inventory": {
"certificate_asset_count": 0,
"live_tls_verified_count": 0,
"live_tls_unverified_count": 0,
"live_tls_health_proven": False,
"raw_certificate_path_returned": False,
"certificate_material_read": False,
"private_key_material_read": False,
},
"source_health": [
{
"source_id": source_id,
@@ -1601,7 +1665,14 @@ class IwoooSSecurityAssetControlPlaneService:
metadata->>'digest_pinned',
'false'
) <> 'true'
) AS unpinned_package_count
) AS unpinned_package_count,
count(*) FILTER (
WHERE asset_type = 'certificate'
AND COALESCE(
metadata->>'live_tls_probe_evidenced',
'false'
) <> 'true'
) AS unverified_certificate_count
FROM asset_inventory
WHERE lifecycle_state = 'active'
GROUP BY asset_type