Implementing Automated Remediation

4 min read Security Testing & Tools

Implementing Automated Remediation

Automated remediation accelerates the fix process while maintaining consistency:

#!/usr/bin/env python3
# automated-remediation.py

import os
import re
import subprocess
import tempfile
from typing import Dict, List, Optional
import docker
import git

class AutomatedRemediator:
    def __init__(self, registry_url: str, git_repo: str):
        self.registry_url = registry_url
        self.git_repo = git_repo
        self.docker_client = docker.from_env()
        
    def remediate_base_image(self, image_name: str, vulnerabilities: List[Dict]) -> Optional[str]:
        """Automatically update base image to fix vulnerabilities"""
        
        # Analyze current image
        current_base = self.extract_base_image(image_name)
        
        # Find secure alternative
        secure_base = self.find_secure_base_image(current_base, vulnerabilities)
        
        if not secure_base:
            return None
        
        # Update Dockerfile
        updated_dockerfile = self.update_dockerfile_base(image_name, secure_base)
        
        # Build and test new image
        new_image = self.build_and_test_image(updated_dockerfile, image_name)
        
        if new_image:
            # Create pull request
            self.create_remediation_pr(image_name, current_base, secure_base)
            
        return new_image
    
    def extract_base_image(self, image_name: str) -> str:
        """Extract base image from Dockerfile"""
        dockerfile_path = self.find_dockerfile(image_name)
        
        with open(dockerfile_path, 'r') as f:
            content = f.read()
            
        # Extract FROM statement
        match = re.search(r'^FROM\s+(\S+)', content, re.MULTILINE)
        if match:
            return match.group(1)
            
        return None
    
    def find_secure_base_image(self, current_base: str, vulnerabilities: List[Dict]) -> Optional[str]:
        """Find a secure alternative base image"""
        
        # Parse current base image
        parts = current_base.split(':')
        image_name = parts[0]
        current_tag = parts[1] if len(parts) > 1 else 'latest'
        
        # Get available tags
        available_tags = self.get_available_tags(image_name)
        
        # Test each tag for vulnerabilities
        secure_options = []
        
        for tag in available_tags:
            test_image = f"{image_name}:{tag}"
            
            # Skip if older than current
            if self.is_older_version(tag, current_tag):
                continue
                
            # Scan potential replacement
            scan_result = self.scan_image(test_image)
            
            # Check if it fixes our vulnerabilities
            if self.fixes_vulnerabilities(scan_result, vulnerabilities):
                secure_options.append({
                    'image': test_image,
                    'vulnerabilities': len(scan_result.get('vulnerabilities', [])),
                    'size': self.get_image_size(test_image)
                })
        
        # Choose best option (least vulnerabilities, smallest size)
        if secure_options:
            best_option = min(
                secure_options,
                key=lambda x: (x['vulnerabilities'], x['size'])
            )
            return best_option['image']
            
        return None
    
    def remediate_package_vulnerabilities(self, image_name: str, vulnerabilities: List[Dict]) -> Optional[str]:
        """Fix package vulnerabilities through updates"""
        
        # Group vulnerabilities by package manager
        grouped_vulns = self.group_by_package_manager(vulnerabilities)
        
        # Generate update commands
        update_commands = []
        
        for pkg_manager, vulns in grouped_vulns.items():
            if pkg_manager == 'apt':
                update_commands.extend(self.generate_apt_fixes(vulns))
            elif pkg_manager == 'npm':
                update_commands.extend(self.generate_npm_fixes(vulns))
            elif pkg_manager == 'pip':
                update_commands.extend(self.generate_pip_fixes(vulns))
            elif pkg_manager == 'go':
                update_commands.extend(self.generate_go_fixes(vulns))
        
        if not update_commands:
            return None
            
        # Create remediation Dockerfile
        remediation_dockerfile = self.create_remediation_dockerfile(
            image_name, update_commands
        )
        
        # Build and test
        new_image = self.build_and_test_image(remediation_dockerfile, image_name)
        
        return new_image
    
    def generate_apt_fixes(self, vulnerabilities: List[Dict]) -> List[str]:
        """Generate APT commands to fix vulnerabilities"""
        commands = []
        
        # Update package list
        commands.append("apt-get update")
        
        # Install fixed versions
        packages_to_update = []
        for vuln in vulnerabilities:
            if vuln.get('fixed_version'):
                package = vuln['package_name']
                version = vuln['fixed_version']
                packages_to_update.append(f"{package}={version}")
        
        if packages_to_update:
            commands.append(f"apt-get install -y {' '.join(packages_to_update)}")
            
        # Clean up
        commands.append("apt-get clean && rm -rf /var/lib/apt/lists/*")
        
        return commands
    
    def generate_npm_fixes(self, vulnerabilities: List[Dict]) -> List[str]:
        """Generate npm commands to fix vulnerabilities"""
        commands = []
        
        # Try automated fix first
        commands.append("npm audit fix")
        
        # Specific package updates
        for vuln in vulnerabilities:
            if vuln.get('fixed_version'):
                package = vuln['package_name']
                version = vuln['fixed_version']
                commands.append(f"npm install {package}@{version}")
        
        # Deduplicate
        commands.append("npm dedupe")
        
        return commands
    
    def create_remediation_dockerfile(self, base_image: str, update_commands: List[str]) -> str:
        """Create Dockerfile for remediation"""
        
        dockerfile_content = f"""
# Automated remediation for {base_image}
FROM {base_image} AS remediated

# Apply security updates
USER root

{chr(10).join(f'RUN {cmd}' for cmd in update_commands)}

# Return to original user
USER 1001
"""
        
        # Save to temporary file
        with tempfile.NamedTemporaryFile(mode='w', suffix='.dockerfile', delete=False) as f:
            f.write(dockerfile_content)
            return f.name
    
    def build_and_test_image(self, dockerfile_path: str, original_image: str) -> Optional[str]:
        """Build and test remediated image"""
        
        # Generate new image tag
        new_tag = f"{original_image}-remediated-{datetime.now().strftime('%Y%m%d%H%M%S')}"
        
        try:
            # Build image
            self.docker_client.images.build(
                path=os.path.dirname(dockerfile_path),
                dockerfile=os.path.basename(dockerfile_path),
                tag=new_tag,
                nocache=True
            )
            
            # Run basic tests
            if self.test_image_functionality(new_tag, original_image):
                # Scan to verify fixes
                scan_result = self.scan_image(new_tag)
                
                if self.verify_remediation(scan_result, original_image):
                    return new_tag
                    
        except Exception as e:
            print(f"Build failed: {e}")
            
        return None
    
    def test_image_functionality(self, new_image: str, original_image: str) -> bool:
        """Test that remediated image maintains functionality"""
        
        # Run basic smoke tests
        tests = [
            self.test_image_starts,
            self.test_healthcheck_passes,
            self.test_expected_files_exist,
            self.test_network_connectivity
        ]
        
        for test in tests:
            if not test(new_image):
                return False
                
        return True
    
    def create_remediation_pr(self, image_name: str, old_base: str, new_base: str):
        """Create pull request with remediation"""
        
        # Clone repository
        with tempfile.TemporaryDirectory() as tmpdir:
            repo = git.Repo.clone_from(self.git_repo, tmpdir)
            
            # Create branch
            branch_name = f"security/fix-{image_name.replace('/', '-')}-{datetime.now().strftime('%Y%m%d')}"
            repo.create_head(branch_name)
            repo.heads[branch_name].checkout()
            
            # Update Dockerfile
            dockerfile_path = os.path.join(tmpdir, self.find_relative_dockerfile(image_name))
            
            with open(dockerfile_path, 'r') as f:
                content = f.read()
                
            # Replace base image
            updated_content = content.replace(f"FROM {old_base}", f"FROM {new_base}")
            
            with open(dockerfile_path, 'w') as f:
                f.write(updated_content)
                
            # Commit changes
            repo.index.add([dockerfile_path])
            repo.index.commit(f"fix: Update base image for {image_name} to fix vulnerabilities\n\n- Previous: {old_base}\n- Updated: {new_base}")
            
            # Push branch
            origin = repo.remote('origin')
            origin.push(branch_name)
            
            # Create PR (using GitHub API as example)
            self.create_github_pr(branch_name, image_name, old_base, new_base)