Automating Remediation Based on Scan Results

Create automated remediation scripts based on scanning outputs:
#!/usr/bin/env python3
# auto-remediate.py

import json
import subprocess
import re

def parse_trivy_results(filename):
    with open(filename) as f:
        data = json.load(f)
    
    vulnerabilities = []
    for result in data.get('Results', []):
        for vuln in result.get('Vulnerabilities', []):
            if vuln['Severity'] in ['CRITICAL', 'HIGH']:
                vulnerabilities.append({
                    'package': vuln['PkgName'],
                    'installed': vuln['InstalledVersion'],
                    'fixed': vuln.get('FixedVersion', 'No fix available'),
                    'severity': vuln['Severity']
                })
    
    return vulnerabilities

def generate_dockerfile_fixes(vulnerabilities):
    fixes = []
    
    for vuln in vulnerabilities:
        if vuln['fixed'] != 'No fix available':
            if 'apt' in vuln['package']:
                fixes.append(f"RUN apt-get update && apt-get install -y {vuln['package']}={vuln['fixed']}")
            elif 'pip' in vuln['package']:
                fixes.append(f"RUN pip install {vuln['package']}=={vuln['fixed']}")
    
    return fixes

def update_base_image(dockerfile_path, new_base):
    with open(dockerfile_path, 'r') as f:
        content = f.read()
    
    updated = re.sub(r'^FROM\s+(\S+)', f'FROM {new_base}', content, flags=re.MULTILINE)
    
    with open(f'{dockerfile_path}.secure', 'w') as f:
        f.write(updated)

# Main remediation workflow
if __name__ == '__main__':
    # Parse scan results
    vulns = parse_trivy_results('scan-results.json')
    
    # Generate fixes
    fixes = generate_dockerfile_fixes(vulns)
    
    print("Recommended Dockerfile updates:")
    for fix in fixes:
        print(f"  {fix}")
    
    # Update base image based on Snyk recommendations
    update_base_image('Dockerfile', 'node:18-alpine3.18')