chore: add scan report -> ctrf converter

JonasPollokZweitag · JonasPollokZweitag · commit 1d7267e9734d · 2025-12-17T07:56:52.000+01:00
diff --git a/security-scanning/checkov2ctrf.py b/security-scanning/checkov2ctrf.py
@@ -0,0 +1,68 @@
+import json
+import sys
+
+
+def extract_checks(target, status):
+    # extracts checks of a check_type (e.g. terraform) with a status ('fail' oder 'pass').
+    checks = []
+    key = "failed_checks" if status == "fail" else "passed_checks"
+    for check in target.get("results", {}).get(key, []):
+        checks.append({
+            "name": check.get("check_name"),
+            "status": "passed" if status == "pass" else "failed",
+            "duration": 1,
+            "file": check.get("file_path"),
+            "lines": check.get("file_line_range"),
+            "guideline": check.get("guideline") if check.get("guideline") != 'null' else "",
+        })
+    return checks
+
+
+def checkov_to_ctrf(checkov_json):
+    tests = []
+    for target in checkov_json:
+        tests.extend(extract_checks(target, "fail"))
+        tests.extend(extract_checks(target, "pass"))
+
+    total = len(tests)
+    passed = sum(1 for t in tests if t["status"] == "passed")
+    failed = sum(1 for t in tests if t["status"] == "failed")
+    pending = 0
+    skipped = 0
+    other = 0
+    start = 0
+    stop = 1
+    return {
+        "results": {
+            "tool": {
+                "name": "Checkov "
+            },
+            "summary": {
+                "tests": total,
+                "passed": passed,
+                "failed": failed,
+                "pending": pending,
+                "skipped": skipped,
+                "other": other,
+                "start": start,
+                "stop": stop
+            },
+            "tests": tests,
+            "environment": {
+                "appName": "kamium-deployment",
+                "buildName": "kamium-deployment",
+                "buildNumber": "1"
+            }
+        }
+    }
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print("Usage: python checkov2ctrf.py <input.json> <output.json>")
+        sys.exit(1)
+    with open(sys.argv[1]) as old_f:
+        checkov_json = json.load(old_f)
+    ctrf_json = checkov_to_ctrf(checkov_json)
+    with open(sys.argv[2], "w") as new_f:
+        json.dump(ctrf_json, new_f, indent=2)
diff --git a/security-scanning/trivyconfig2crtf.py b/security-scanning/trivyconfig2crtf.py
@@ -0,0 +1,90 @@
+import json
+import sys
+
+
+def extract_checks_from_trivy_result(result):
+    checks = []
+    misconfigs = result.get("Misconfigurations", [])
+    for misconf in misconfigs:
+        lines = None
+        cause = misconf.get("CauseMetadata", {})
+        if "StartLine" in cause and "EndLine" in cause:
+            lines = [cause["StartLine"], cause["EndLine"]]
+        elif "Code" in cause and "Lines" in cause["Code"] and cause["Code"]["Lines"]:
+            # Fallback: nehme die ersten und letzten Zeilennummern aus Code.Lines
+            code_lines = cause["Code"]["Lines"]
+            if isinstance(code_lines, list) and code_lines:
+                lines = [code_lines[0].get(
+                    "Number"), code_lines[-1].get("Number")]
+
+        checks.append({
+            "name": misconf.get("Title", misconf.get("ID", "")),
+            "status": "failed" if misconf.get("Status") == "FAIL" else "passed",
+            "duration": 1,
+            "file": result.get("Target", ""),
+            "lines": lines,
+            "guideline": misconf.get("PrimaryURL", ""),
+            "severity": misconf.get("Severity", ""),
+            "description": misconf.get("Description", ""),
+            "message": misconf.get("Message", ""),
+            "resolution": misconf.get("Resolution", ""),
+            "references": misconf.get("References", []),
+            "type": misconf.get("Type", ""),
+            "id": misconf.get("ID", ""),
+        })
+    return checks
+
+
+def trivy_to_ctrf(trivy_json):
+    tests = []
+    successes_sum = 0
+    results = trivy_json.get("Results", [])
+    for result in results:
+        tests.extend(extract_checks_from_trivy_result(result))
+
+        # Successful scans have no misconfigurations
+        misconf_summary = result.get("MisconfSummary", {})
+        successes_sum += misconf_summary.get("Successes", 0)
+
+    total = len(tests) + successes_sum
+    passed = successes_sum
+    failed = sum(1 for t in tests if t["status"] == "failed")
+    pending = 0
+    skipped = 0
+    other = 0
+    start = 0
+    stop = 1
+    return {
+        "results": {
+            "tool": {
+                "name": "Trivy Configuration"
+            },
+            "summary": {
+                "tests": total,
+                "passed": passed,
+                "failed": failed,
+                "pending": pending,
+                "skipped": skipped,
+                "other": other,
+                "start": start,
+                "stop": stop
+            },
+            "tests": tests,
+            "environment": {
+                "appName": "kamium-elastic",
+                "buildName": "kamium-elastic",
+                "buildNumber": "1"
+            }
+        }
+    }
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print("Usage: python trivy2ctrf.py <input.json> <output.json>")
+        sys.exit(1)
+    with open(sys.argv[1]) as old_f:
+        trivy_json = json.load(old_f)
+    ctrf_json = trivy_to_ctrf(trivy_json)
+    with open(sys.argv[2], "w") as new_f:
+        json.dump(ctrf_json, new_f, indent=2)
diff --git a/security-scanning/trivyimage2ctrf.py b/security-scanning/trivyimage2ctrf.py
@@ -0,0 +1,80 @@
+import json
+import sys
+
+
+def extract_checks_from_trivy_result(target):
+    checks = []
+    
+    vulnerabilities = target.get("Vulnerabilities", [])
+    
+    for vuln in vulnerabilities:
+        checks.append({
+            "name": vuln.get("PkgID", ""),
+            "status": vuln.get("Status", "unknown"),
+            "duration": 1,
+            "severity": vuln.get("Severity", ""),
+            "id": vuln.get("VulnerabilityID", ""),
+            "pkgName": vuln.get("PkgName", ""),
+            "installedVersion": vuln.get("InstalledVersion", ""),
+            "fixedVersion": vuln.get("FixedVersion", "no fix available"),
+            "image": target.get("Target", ""),
+            "source": vuln.get("DataSource", []),
+            "description": vuln.get("Description", ""),
+            "references": vuln.get("References", [])
+        })
+    return checks
+
+
+def trivy_to_ctrf(trivy_json):
+    tests = []
+    successes_sum = 0
+    results = trivy_json.get("Results", [])
+    for result in results:
+        tests.extend(extract_checks_from_trivy_result(result))
+
+        # Successful scans have no misconfigurations
+        misconf_summary = result.get("MisconfSummary", {})
+        successes_sum += misconf_summary.get("Successes", 0)
+
+    total = len(tests)
+    passed = 0 
+    failed = len(tests)
+    pending = 0
+    skipped = 0
+    other = 0
+    start = 0
+    stop = 1
+    return {
+        "results": {
+            "tool": {
+                "name": "Trivy Image"
+            },
+            "summary": {
+                "tests": total,
+                "passed": passed,
+                "failed": failed,
+                "pending": pending,
+                "skipped": skipped,
+                "other": other,
+                "start": start,
+                "stop": stop
+            },
+            "tests": tests,
+            "environment": {
+                "appName": "kamium-elastic",
+                "buildName": "kamium-elastic",
+                "buildNumber": "1"
+            }
+        }
+    }
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print("Usage: python trivy2ctrf.py <input.json> <output.json>")
+        sys.exit(1)
+    with open(sys.argv[1]) as old_f:
+        trivy_json = json.load(old_f)
+    ctrf_json = trivy_to_ctrf(trivy_json)
+    with open(sys.argv[2], "w") as new_f:
+        json.dump(ctrf_json, new_f, indent=2)
