DataDog
diff --git a/‎.github/workflows/docker-release.yml‎ b/‎.github/workflows/docker-release.yml‎
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 13 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎LICENSE-3rdparty.csv‎
Lines changed: 13 additions & 15 deletions b/‎LICENSE-3rdparty.csv‎
Lines changed: 13 additions & 15 deletions
diff --git a/‎Makefile‎
Lines changed: 13 additions & 2 deletions b/‎Makefile‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 87 additions & 3 deletions b/‎README.md‎
Lines changed: 87 additions & 3 deletions
diff --git a/‎cmd/threatest/lint.go‎
Lines changed: 68 additions & 0 deletions b/‎cmd/threatest/lint.go‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎cmd/threatest/main.go‎
Lines changed: 21 additions & 0 deletions b/‎cmd/threatest/main.go‎
Lines changed: 21 additions & 0 deletions
@@ -1 +1,2 @@
 .idea
+dist/
@@ -0,0 +1,13 @@
+FROM golang:1.19-alpine3.16@sha256:4e2a54594cfe7002a98c483c28f6f3a78e5c7f4010c355a8cf960292a3fdecfe AS builder
+ARG VERSION=dev-snapshot
+RUN mkdir /build
+RUN apk add --update make
+WORKDIR /build
+ADD . /build
+RUN make BUILD_VERSION=${VERSION}
+
+FROM alpine:3.16@sha256:3d426b0bfc361d6e8303f51459f17782b219dece42a1c7fe463b6014b189c86d AS runner
+LABEL org.opencontainers.image.source="https://github.com/DataDog/threatest/"
+COPY --from=builder /build/bin/threatest /threatest
+ENTRYPOINT ["/threatest"]
+CMD ["--help"]
@@ -30,15 +30,13 @@ github.com/aws/aws-sdk-go-v2/service/sso,https://github.com/aws/aws-sdk-go-v2/bl
 github.com/aws/aws-sdk-go-v2/service/sts,https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.14.0/service/sts/LICENSE.txt,Apache-2.0
 github.com/aws/smithy-go,https://github.com/aws/smithy-go/blob/v1.12.0/LICENSE,Apache-2.0
 github.com/datadog/stratus-red-team/v2,https://github.com/datadog/stratus-red-team/blob/v2.2.3/v2/LICENSE,Apache-2.0
-github.com/datadog/threatest/pkg/threatest,Unknown,Unknown
-github.com/datadog/threatest/pkg/threatest/detonators,Unknown,Unknown
-github.com/datadog/threatest/pkg/threatest/matchers,Unknown,Unknown
+github.com/datadog/threatest/pkg/threatest,https://github.com/datadog/threatest/blob/HEAD/LICENSE,Apache-2.0
 github.com/davecgh/go-spew/spew,https://github.com/davecgh/go-spew/blob/v1.1.1/LICENSE,ISC
 github.com/go-logr/logr,https://github.com/go-logr/logr/blob/v1.2.0/LICENSE,Apache-2.0
 github.com/gogo/protobuf,https://github.com/gogo/protobuf/blob/v1.3.2/LICENSE,BSD-3-Clause
 github.com/golang-jwt/jwt,https://github.com/golang-jwt/jwt/blob/v3.2.2/LICENSE,MIT
 github.com/golang/protobuf,https://github.com/golang/protobuf/blob/v1.5.2/LICENSE,BSD-3-Clause
-github.com/google/go-cmp/cmp,https://github.com/google/go-cmp/blob/v0.5.8/LICENSE,BSD-3-Clause
+github.com/google/go-cmp/cmp,https://github.com/google/go-cmp/blob/v0.5.9/LICENSE,BSD-3-Clause
 github.com/google/gofuzz,https://github.com/google/gofuzz/blob/v1.1.0/LICENSE,Apache-2.0
 github.com/google/uuid,https://github.com/google/uuid/blob/v1.3.0/LICENSE,BSD-3-Clause
 github.com/googleapis/gnostic,https://github.com/googleapis/gnostic/blob/v0.5.5/LICENSE,Apache-2.0
@@ -59,26 +57,26 @@ github.com/modern-go/reflect2,https://github.com/modern-go/reflect2/blob/v1.0.2/
 github.com/pkg/browser,https://github.com/pkg/browser/blob/ce105d075bb4/LICENSE,BSD-2-Clause
 github.com/spf13/pflag,https://github.com/spf13/pflag/blob/v1.0.5/LICENSE,BSD-3-Clause
 github.com/zclconf/go-cty/cty,https://github.com/zclconf/go-cty/blob/v1.9.1/LICENSE,MIT
-golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/c6db032c:LICENSE,BSD-3-Clause
-golang.org/x/net,https://cs.opensource.google/go/x/net/+/2871e0cb:LICENSE,BSD-3-Clause
-golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/d3ed0bb2:LICENSE,BSD-3-Clause
-golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/5e4e11fc:LICENSE,BSD-3-Clause
-golang.org/x/term,https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE,BSD-3-Clause
-golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE,BSD-3-Clause
-golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/1f47c861:LICENSE,BSD-3-Clause
-google.golang.org/protobuf,https://github.com/protocolbuffers/protobuf-go/blob/v1.27.1/LICENSE,BSD-3-Clause
+golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.1.0:LICENSE,BSD-3-Clause
+golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.1.0:LICENSE,BSD-3-Clause
+golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/6fdb5e3d:LICENSE,BSD-3-Clause
+golang.org/x/sys/unix,https://cs.opensource.google/go/x/sys/+/v0.1.0:LICENSE,BSD-3-Clause
+golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.1.0:LICENSE,BSD-3-Clause
+golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.4.0:LICENSE,BSD-3-Clause
+golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE,BSD-3-Clause
+google.golang.org/protobuf,https://github.com/protocolbuffers/protobuf-go/blob/v1.28.1/LICENSE,BSD-3-Clause
 gopkg.in/alessio/shellescape.v1,https://github.com/alessio/shellescape/blob/52074bc9df61/LICENSE,MIT
 gopkg.in/inf.v0,https://github.com/go-inf/inf/blob/v0.9.1/LICENSE,BSD-3-Clause
 gopkg.in/yaml.v2,https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE,Apache-2.0
-gopkg.in/yaml.v3,https://github.com/go-yaml/yaml/blob/496545a6307b/LICENSE,MIT
+gopkg.in/yaml.v3,https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE,MIT
 k8s.io/api,https://github.com/kubernetes/api/blob/v0.23.3/LICENSE,Apache-2.0
 k8s.io/apimachinery/pkg,https://github.com/kubernetes/apimachinery/blob/v0.23.3/LICENSE,Apache-2.0
 k8s.io/apimachinery/third_party/forked/golang,https://github.com/kubernetes/apimachinery/blob/v0.23.3/third_party/forked/golang/LICENSE,BSD-3-Clause
 k8s.io/client-go,https://github.com/kubernetes/client-go/blob/v0.23.3/LICENSE,Apache-2.0
-k8s.io/klog/v2,https://github.com/kubernetes/klog/blob/v2.30.0/LICENSE,Apache-2.0
+k8s.io/klog/v2,https://github.com/kubernetes/klog/blob/v2.80.1/LICENSE,Apache-2.0
 k8s.io/kube-openapi/pkg,https://github.com/kubernetes/kube-openapi/blob/e816edb12b65/LICENSE,Apache-2.0
 k8s.io/utils,https://github.com/kubernetes/utils/blob/6203023598ed/LICENSE,Apache-2.0
 k8s.io/utils/internal/third_party/forked/golang/net,https://github.com/kubernetes/utils/blob/6203023598ed/internal/third_party/forked/golang/LICENSE,BSD-3-Clause
 sigs.k8s.io/json,https://github.com/kubernetes-sigs/json/blob/c049b76a60c6/LICENSE,Apache-2.0
 sigs.k8s.io/structured-merge-diff/v4,https://github.com/kubernetes-sigs/structured-merge-diff/blob/v4.2.1/LICENSE,Apache-2.0
-sigs.k8s.io/yaml,https://github.com/kubernetes-sigs/yaml/blob/v1.2.0/LICENSE,MIT
+sigs.k8s.io/yaml,https://github.com/kubernetes-sigs/yaml/blob/v1.3.0/LICENSE,MIT
@@ -1,17 +1,28 @@
-.PHONY: mocks
+.PHONY: mocks parser
 
 MAKEFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
 ROOT_DIR := $(dir $(MAKEFILE_PATH))
 
+all: build
+
+build:
+	mkdir -p bin
+	go build -o bin/threatest cmd/threatest/*.go
+
 test:
 	go test $(shell go list ./... | grep -v examples)
 
 thirdparty-licenses:
 	go get github.com/google/go-licenses
 	go install github.com/google/go-licenses
-	$(GOPATH)/bin/go-licenses csv github.com/datadog/threatest/pkg/threatest | sort > $(ROOT_DIR)/LICENSE-3rdparty.csv
+	$${GOPATH}/bin/go-licenses csv github.com/datadog/threatest/pkg/threatest | sort > $(ROOT_DIR)/LICENSE-3rdparty.csv
 
 mocks:
 	mockery --name=Detonator --dir pkg/threatest/detonators/ --output pkg/threatest/detonators/mocks
 	mockery --name=AlertGeneratedMatcher --dir pkg/threatest/matchers/ --output pkg/threatest/matchers/mocks
 	mockery --name=DatadogSecuritySignalsAPI  --dir pkg/threatest/matchers/datadog --output pkg/threatest/matchers/datadog/mocks
+
+parser:
+	go get github.com/atombender/go-jsonschema/...
+	go install github.com/atombender/go-jsonschema/cmd/gojsonschema@latest
+	$${GOPATH}/bin/gojsonschema -p parser schemas/threatest.schema.json > pkg/threatest/parser/parser.go
@@ -34,11 +34,95 @@ Each detonation is assigned a UUID. This UUID is reflected in the detonation and
 
 The way this is done depends on the detonator; for instance, Stratus Red Team and the AWS Detonator inject it in the user-agent; the SSH detonator uses a parent process containing the UUID.
 
-## Sample usage
+## Usage
 
-See [examples](./examples) for complete usage example.
+### Through the CLI
 
-### Testing Datadog Cloud SIEM signals triggered by Stratus Red Team
+Threatest comes with a CLI that you can use to run test scenarios described as YAML, following a specific [schema](./schemas/threatest.schema.json). You can configure this schema in your editor to benefit from in-IDE linting and autocompletion (see [documentation for VSCode](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml#associating-a-schema-to-a-glob-pattern-via-yaml.schemas) using the [YAML](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml) extension).
+
+Sample usage:
+
+```bash
+$ threatest lint scenarios.threatest.yaml
+All 6 scenarios are syntaxically valid
+
+# Local detonation
+$ threatest run local-scenarios.threatest.yaml
+
+# Remote detonation over SSH
+$ threatest run scenarios.threatest.yaml --ssh-host test-box --ssh-username vagrant
+
+# Alternatively, specify SSH parameters from environment variables
+$ export THREATEST_SSH_HOST=test-box
+$ export THREATEST_SSH_USERNAME=vagrant
+$ threatest run scenarios.threatest.yaml
+```
+
+Sample scenario definition file:
+
+```yaml
+scenarios:
+  - description: curl metadata service
+    detonate:
+      remoteDetonator:
+        commands: ["curl http://169.254.169.254 --connect-timeout 1"]
+    expectations:
+      - timeout: 1m
+        datadogSecuritySignal:
+          name: "Network utility accessed cloud metadata service"
+          severity: medium
+
+  - description: running nmap
+    detonate:
+      remoteDetonator:
+        commands:
+          - "which nmap || sudo apt install -y nmap"
+          - "nmap -sn 172.16.2.1/32 -T5"
+    expectations:
+      - timeout: 1m
+        datadogSecuritySignal:
+          name: Network scanning utility executed
+```
+
+
+You can output the test results to a JSON file:
+
+```
+$ threatest run scenarios.threatest.yaml --output test-results.json
+$ cat test-results.json
+[
+  {
+    "description": "change user password",
+    "isSuccess": true,
+    "errorMessage": "",
+    "durationSeconds": 22.046627348,
+    "timeDetonated": "2022-11-15T22:26:14.182844+01:00"
+  },
+  {
+    "description": "adding an SSH key",
+    "isSuccess": true,
+    "errorMessage": "",
+    "durationSeconds": 23.604699625,
+    "timeDetonated": "2022-11-15T22:26:14.182832+01:00"
+  },
+  {
+    "description": "change user password",
+    "isSuccess": false,
+    "errorMessage": "At least one scenario failed:\n\nchange user password returned: change user password: 1 assertions did not pass\n =\u003e Did not find Datadog security signal 'bar'\n",
+    "durationSeconds": 3.505294235,
+    "timeDetonated": "2022-11-15T22:26:36.229349+01:00"
+  }
+]
+```
+
+By default, scenarios are run with a maximum parallelism of 5. You can increase this setting using the `--parallelism` argument.
+Note that when using remote SSH detonators, each scenario running establishes a new SSH connection.
+
+### Using Threatest programmatically
+
+See [examples](./examples) for complete programmatic usage example.
+
+#### Testing Datadog Cloud SIEM signals triggered by Stratus Red Team
 
 ```go
 threatest := Threatest()
 
@@ -0,0 +1,68 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"github.com/datadog/threatest/pkg/threatest"
+	"github.com/datadog/threatest/pkg/threatest/parser"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"os"
+)
+
+// LintCommand implements syntax verification of a Threatest scenario file
+type LintCommand struct {
+	InputFiles []string
+}
+
+func (m *LintCommand) Do() error {
+	if len(m.InputFiles) == 0 {
+		return errors.New("please provide at least 1 scenario")
+	}
+	var numScenarios = 0
+	for _, inputFile := range m.InputFiles {
+		rawScenario, err := os.ReadFile(inputFile)
+		if err != nil {
+			return fmt.Errorf("unable to read input file %s: %v", inputFile, err)
+		}
+		scenarios, err := parser.Parse(rawScenario, "unused", "", "")
+		if err != nil {
+			return fmt.Errorf("unable to parse input file %s: %v", inputFile, err)
+		}
+		for _, scenario := range scenarios {
+			if err := validateScenario(scenario); err != nil {
+				return fmt.Errorf("invalid scenario '%s': %s", scenario.Name, err.Error())
+			}
+		}
+		numScenarios += len(scenarios)
+	}
+	log.Infof("All %d scenarios are syntaxically valid", numScenarios)
+	return nil
+}
+
+func validateScenario(scenario *threatest.Scenario) error {
+	if scenario.Detonator == nil {
+		return errors.New("no detonator defined")
+	}
+	if len(scenario.Assertions) == 0 {
+		return errors.New("no assertion defined")
+	}
+	return nil
+}
+
+func NewLintCommand() *cobra.Command {
+	lintCmd := &cobra.Command{
+		Use:          "lint",
+		Short:        "Validate the format of scenarios",
+		SilenceUsage: true,
+		Example:      "lint /path/to/scenario/1 [/path/to/scenario/2]...",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			command := LintCommand{
+				InputFiles: args,
+			}
+			return command.Do()
+		},
+	}
+
+	return lintCmd
+}
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"github.com/spf13/cobra"
+	"os"
+)
+
+var rootCmd = &cobra.Command{
+	Use: "threatest",
+}
+
+func init() {
+	rootCmd.AddCommand(NewRunCommand())
+	rootCmd.AddCommand(NewLintCommand())
+}
+
+func main() {
+	if err := rootCmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}