Feat/full vpc checks

.github/workflows/build-and-upload.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Authenticate gooci cli
         run: gooci login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
       - name: gooci Upload Version
-        run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{github.ref_name}}
+        run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{github.ref_name}} --annotate="org.ccf.plugin.protocol.version=2"
       - name: gooci Upload Latest
         if: "!github.event.release.prerelease"
-        run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+        run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest --annotate="org.ccf.plugin.protocol.version=2"

.gitignore

@@ -3,3 +3,6 @@ dist/
 .DS_Store
 # TODO: Change this to match the specific plugin name
 /plugin-*
+
+.ai/*
+.config/

Makefile

@@ -0,0 +1,37 @@
+# The help target prints out all targets with their descriptions organized
+# beneath their categories. The categories are represented by '##@' and the
+# target descriptions by '##'. The awk commands is responsible for reading the
+# entire set of makefiles included in this invocation, looking for lines of the
+# file as xyz: ## something, and then pretty-format the target and help. Then,
+# if there's a line with ##@ something, that gets pretty-printed as a category.
+# More info on the usage of ANSI catalog characters for terminal formatting:
+# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
+# More info on the awk command:
+# http://linuxcommand.org/lc3_adv_awk.php
+
+# Check if OPA CLI is installed
+OPA := $(shell command -v opa 2> /dev/null)
+ifeq ($(OPA),)
+$(error "opa CLI not found. Please install it: https://www.openpolicyagent.org/docs/latest/cli/")
+endif
+
+##@ Help
+help: ## Display this concise help, ie only the porcelain target
+	@awk 'BEGIN {FS = ":.*##"; printf "\033[1mUsage\033[0m\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-30s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+help-all: ## Display all help items, ie including plumbing targets
+	@awk 'BEGIN {FS = ":.*#"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?#/ { printf "  \033[36m%-25s\033[0m %s\n", $$1, $$2 } /^#@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+
+test:
+	@go test ./...
+
+clean: # Cleanup build artifacts
+	@rm -rf dist/*
+
+build: clean ## Build the plugin package
+	@mkdir -p dist/
+	@go build -o dist/plugin main.go
+
+run: build ## Execute the Concom agent with the built plugin
+	@../agent/dist/./concom agent --config ./.config/config.yaml

README.md

@@ -1 +1,84 @@
-# AWS networking sercurity plugin
+# AWS VPC CCF Plugin
+
+This plugin collects read-only AWS VPC networking data from EC2 and CloudWatch Logs, evaluates CCF Rego policy bundles, and emits evidence back through the CCF agent.
+
+## Supported resource families
+
+The collector can evaluate policies for:
+
+- VPCs
+- subnets
+- security groups
+- network ACLs
+- route tables
+
+## How it fits in CCF
+
+The CCF agent starts this binary through HashiCorp `go-plugin`, passes configuration and policy paths over gRPC, and receives generated evidence through the runner callback. This repository does not call the CCF API directly.
+
+## Default policy bundle mapping
+
+| Repository | Behavior | Primary input |
+| --- | --- | --- |
+| `plugin-aws-vpc-policies` | `vpc` | `input.vpc` + `input.vpc_context` |
+| `plugin-aws-vpc-subnet-policies` | `subnet` | `input.subnet` + `input.subnet_context` |
+| `plugin-aws-vpc-sg-policies` | `sg` | `input.security_group` + `input.sg_context` |
+| `plugin-aws-vpc-nacl-policies` | `acl` | `input.network_acl` + `input.nacl_context` |
+| `plugin-aws-vpc-rt-policies` | `rt` | `input.route_table` + `input.route_table_context` |
+
+## Configuration
+
+The plugin expects:
+
+- AWS credentials through the default AWS SDK credential chain
+- target regions from `config.regions` or `config.region`
+- `AWS_REGION` as a fallback when plugin config does not provide a region
+
+Any agent-supplied `policy_data` is passed through to Rego as `data.*`.
+
+## Data collected
+
+Depending on the selected policy bundles, the plugin can collect and correlate:
+
+- VPCs and VPC attributes
+- DHCP options
+- subnets
+- route tables
+- internet gateways
+- VPC endpoints
+- security groups
+- network ACLs
+- flow logs
+- related CloudWatch log groups
+- transit gateway attachments
+- network interfaces
+
+## Development
+
+Run the local test suite with:
+
+```shell
+go test ./...
+```
+
+Or use the Makefile wrapper:
+
+```shell
+make test
+```
+
+Build the plugin binary with:
+
+```shell
+make build
+```
+
+This writes the compiled plugin to `dist/plugin`.
+
+## Related repositories
+
+- [plugin-aws-vpc-policies](https://github.com/compliance-framework/plugin-aws-vpc-policies)
+- [plugin-aws-vpc-subnet-policies](https://github.com/compliance-framework/plugin-aws-vpc-subnet-policies)
+- [plugin-aws-vpc-sg-policies](https://github.com/compliance-framework/plugin-aws-vpc-sg-policies)
+- [plugin-aws-vpc-nacl-policies](https://github.com/compliance-framework/plugin-aws-vpc-nacl-policies)
+- [plugin-aws-vpc-rt-policies](https://github.com/compliance-framework/plugin-aws-vpc-rt-policies)

go.mod

@@ -1,71 +1,79 @@
 module github.com/compliance-framework/plugin-aws-networking-security
 
-go 1.23.2
+go 1.26.1
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.36.3
-	github.com/aws/aws-sdk-go-v2/config v1.29.9
+	github.com/aws/aws-sdk-go-v2 v1.41.2
+	github.com/aws/aws-sdk-go-v2/config v1.32.10
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.47.0
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.208.0
-	github.com/compliance-framework/agent v0.2.1
-	github.com/hashicorp/go-hclog v1.5.0
-	github.com/hashicorp/go-plugin v1.6.2
+	github.com/compliance-framework/agent v0.7.0
+	github.com/hashicorp/go-hclog v1.6.3
+	github.com/hashicorp/go-plugin v1.7.0
 )
 
 require (
-	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/agnivade/levenshtein v1.2.0 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.62 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
-	github.com/aws/smithy-go v1.22.2 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/agnivade/levenshtein v1.2.1 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.10 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 // indirect
+	github.com/aws/smithy-go v1.24.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/compliance-framework/api v0.4.0 // indirect
-	github.com/defenseunicorns/go-oscal v0.6.2 // indirect
-	github.com/fatih/color v1.15.0 // indirect
-	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/compliance-framework/api v0.16.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1 // indirect
+	github.com/defenseunicorns/go-oscal v0.7.0 // indirect
+	github.com/docker/docker v28.5.2+incompatible // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/hashicorp/yamux v0.1.2 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.4 // indirect
+	github.com/lestrrat-go/jwx/v3 v3.0.13 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/moby/sys/user v0.3.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/oklog/run v1.0.0 // indirect
-	github.com/open-policy-agent/opa v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.20.5 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.57.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/oklog/run v1.2.0 // indirect
+	github.com/open-policy-agent/opa v1.14.1 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.3 // indirect
+	github.com/valyala/fastjson v1.6.10 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.32 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.33.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect
-	google.golang.org/grpc v1.69.2 // indirect
-	google.golang.org/protobuf v1.36.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
+	go.yaml.in/yaml/v2 v2.4.4 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/grpc v1.79.3 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )