Add Bulk Cloud Compliance Status API #838 (#873)

* Add ingest scan status and scan status API for cloud compliance scans * Merge cloud compliance and compliance start scan APIs and make status response for cloud compliance and compliance consistent * Fix Malware scan request and add linux to node_types for compliance start scan API * Replace hard coded strings and removing start cloud compliance API from docs
deepfence · Feb 8, 2023 · 25efe1e · 25efe1e
1 parent 93ddb07
commit 25efe1e
Show file tree

Hide file tree

Showing 9 changed files with 338 additions and 55 deletions.
diff --git a/deepfence_server/apiDocs/operation.go b/deepfence_server/apiDocs/operation.go
@@ -190,6 +190,10 @@ func (d *OpenApiDocs) AddIngestersOperations() {
 		"Ingest Cloud Compliances", "Ingest Cloud compliances found while scanning cloud provider",
 		http.StatusOK, []string{tagCloudScanner}, bearerToken, new([]ingester.CloudCompliance), nil)
 
+	d.AddOperation("ingestCloudComplianceScanStatus", http.MethodPost, "/deepfence/ingest/cloud-compliance-scan-status",
+		"Ingest Cloud Compliances", "Ingest Cloud compliances found while scanning cloud provider",
+		http.StatusOK, []string{tagCloudScanner}, bearerToken, new([]ingester.CloudCompliance), nil)
+
 	d.AddOperation("ingestMalwareScanStatus", http.MethodPost, "/deepfence/ingest/malware-scan-logs",
 		"Ingest Malware Scan Status", "Ingest malware scan status from the agent",
 		http.StatusOK, []string{tagMalwareScan}, bearerToken, new([]ingester.MalwareScanStatus), nil)
@@ -217,9 +221,6 @@ func (d *OpenApiDocs) AddScansOperations() {
 	d.AddOperation("startMalwareScan", http.MethodPost, "/deepfence/scan/start/malware",
 		"Start Malware Scan", "Start Malware Scan on agent or registry",
 		http.StatusAccepted, []string{tagMalwareScan}, bearerToken, new(model.MalwareScanTriggerReq), new(model.ScanTriggerResp))
-	d.AddOperation("startCloudComplianceScans", http.MethodPost, "/deepfence/scan/start/cloud-compliance",
-		"Start Cloud Compliance Scans", "Start Cloud Compliance Scans on cloud nodes", http.StatusAccepted,
-		[]string{tagCloudScanner}, bearerToken, new(model.CloudComplianceScanTriggerReq), new(model.ScanTriggerResp))
 
 	// Stop scan
 	d.AddOperation("stopVulnerabilityScan", http.MethodPost, "/deepfence/scan/stop/vulnerability",
@@ -244,10 +245,13 @@ func (d *OpenApiDocs) AddScansOperations() {
 		http.StatusOK, []string{tagSecretScan}, bearerToken, new(model.ScanStatusReq), new(model.ScanStatusResp))
 	d.AddOperation("statusComplianceScan", http.MethodGet, "/deepfence/scan/status/compliance",
 		"Get Compliance Scan Status", "Get Compliance Scan Status on agent or registry",
-		http.StatusOK, []string{tagCompliance}, bearerToken, new(model.ScanStatusReq), new(model.ScanStatusResp))
+		http.StatusOK, []string{tagCompliance}, bearerToken, new(model.ScanStatusReq), new(model.ComplianceScanStatusResp))
 	d.AddOperation("statusMalwareScan", http.MethodGet, "/deepfence/scan/status/malware",
 		"Get Malware Scan Status", "Get Malware Scan status on agent or registry",
 		http.StatusOK, []string{tagMalwareScan}, bearerToken, new(model.ScanStatusReq), new(model.ScanStatusResp))
+	d.AddOperation("statusCloudComplianceScan", http.MethodGet, "/deepfence/scan/status/cloud-compliance",
+		"Get Cloud Compliance Scan Status", "Get Cloud Compliance Scan Status on cloud node",
+		http.StatusOK, []string{tagCloudScanner}, bearerToken, new(model.ScanStatusReq), new(model.ComplianceScanStatusResp))
 
 	// List scans
 	d.AddOperation("listVulnerabilityScans", http.MethodPost, "/deepfence/scan/list/vulnerability",

diff --git a/deepfence_server/handler/cloud_node.go b/deepfence_server/handler/cloud_node.go
@@ -14,6 +14,17 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+var (
+	AWS_DEFAULT_CONTROLS = map[string][]string{
+		"cis":   []string{"control.cis_v140_4_1", "control.cis_v140_4_2", "control.cis_v140_4_3", "control.cis_v140_4_4", "control.cis_v140_4_5", "control.cis_v140_4_6", "control.cis_v140_4_7", "control.cis_v140_4_8", "control.cis_v140_4_9", "control.cis_v140_4_10", "control.cis_v140_4_11", "control.cis_v140_4_12", "control.cis_v140_4_13", "control.cis_v140_4_14", "control.cis_v140_4_15", "control.cis_v140_5_1", "control.cis_v140_5_2", "control.cis_v140_5_3", "control.cis_v140_5_4", "control.cis_v140_3_1", "control.cis_v140_3_2", "control.cis_v140_3_3", "control.cis_v140_3_4", "control.cis_v140_3_5", "control.cis_v140_3_6", "control.cis_v140_3_7", "control.cis_v140_3_8", "control.cis_v140_3_9", "control.cis_v140_3_10", "control.cis_v140_3_11", "control.cis_v140_1_1", "control.cis_v140_1_2", "control.cis_v140_1_3", "control.cis_v140_1_4", "control.cis_v140_1_5", "control.cis_v140_1_6", "control.cis_v140_1_7", "control.cis_v140_1_8", "control.cis_v140_1_9", "control.cis_v140_1_10", "control.cis_v140_1_11", "control.cis_v140_1_12", "control.cis_v140_1_13", "control.cis_v140_1_14", "control.cis_v140_1_15", "control.cis_v140_1_16", "control.cis_v140_1_17", "control.cis_v140_1_18", "control.cis_v140_1_19", "control.cis_v140_1_20", "control.cis_v140_1_21", "control.cis_v140_2_1_1", "control.cis_v140_2_1_2", "control.cis_v140_2_1_3", "control.cis_v140_2_1_4", "control.cis_v140_2_1_5", "control.cis_v140_2_2_1", "control.cis_v140_2_3_1"},
+		"gdpr":  []string{"benchmark.article_30", "benchmark.article_32", "benchmark.article_25"},
+		"hipaa": []string{"benchmark.hipaa_164_308_a_8", "benchmark.hipaa_164_308_a_4_ii_b", "benchmark.hipaa_164_308_a_4_ii_c", "benchmark.hipaa_164_308_a_1_ii_a", "benchmark.hipaa_164_308_a_7_i", "benchmark.hipaa_164_308_a_1_ii_b", "benchmark.hipaa_164_308_a_7_ii_b", "benchmark.hipaa_164_308_a_5_ii_b", "benchmark.hipaa_164_308_a_3_ii_b", "benchmark.hipaa_164_308_a_6_ii", "benchmark.hipaa_164_308_a_7_ii_c", "benchmark.hipaa_164_308_a_3_ii_c", "benchmark.hipaa_164_308_a_4_i", "benchmark.hipaa_164_308_a_5_ii_d", "benchmark.hipaa_164_308_a_5_ii_c", "benchmark.hipaa_164_308_a_4_ii_a", "benchmark.hipaa_164_308_a_1_ii_d", "benchmark.hipaa_164_308_a_3_ii_a", "benchmark.hipaa_164_308_a_3_i", "benchmark.hipaa_164_308_a_6_i", "benchmark.hipaa_164_308_a_7_ii_a", "benchmark.hipaa_164_312_d", "benchmark.hipaa_164_312_a_2_ii", "benchmark.hipaa_164_312_e_2_i", "benchmark.hipaa_164_312_e_1", "benchmark.hipaa_164_312_c_1", "benchmark.hipaa_164_312_a_1", "benchmark.hipaa_164_312_a_2_i", "benchmark.hipaa_164_312_a_2_iv", "benchmark.hipaa_164_312_b", "benchmark.hipaa_164_312_c_2", "benchmark.hipaa_164_312_e_2_ii"},
+		"nist":  []string{"benchmark.nist_800_53_rev_4_sc_2", "benchmark.nist_800_53_rev_4_sc_4", "benchmark.nist_800_53_rev_4_sc_5", "benchmark.nist_800_53_rev_4_sc_7", "benchmark.nist_800_53_rev_4_sc_8", "benchmark.nist_800_53_rev_4_sc_12", "benchmark.nist_800_53_rev_4_sc_13", "benchmark.nist_800_53_rev_4_sc_23", "benchmark.nist_800_53_rev_4_sc_28", "benchmark.nist_800_53_rev_4_cp_9", "benchmark.nist_800_53_rev_4_cp_10", "benchmark.nist_800_53_rev_4_ca_7", "benchmark.nist_800_53_rev_4_sa_3", "benchmark.nist_800_53_rev_4_sa_10", "benchmark.nist_800_53_rev_4_si_2_2", "benchmark.nist_800_53_rev_4_si_4", "benchmark.nist_800_53_rev_4_si_7", "benchmark.nist_800_53_rev_4_si_12", "benchmark.nist_800_53_rev_4_ac_2", "benchmark.nist_800_53_rev_4_ac_3", "benchmark.nist_800_53_rev_4_ac_4", "benchmark.nist_800_53_rev_4_ac_5", "benchmark.nist_800_53_rev_4_ac_6", "benchmark.nist_800_53_rev_4_ac_17_1", "benchmark.nist_800_53_rev_4_ac_17_2", "benchmark.nist_800_53_rev_4_ac_17_3", "benchmark.nist_800_53_rev_4_ac_21", "benchmark.nist_800_53_rev_4_ir_4_1", "benchmark.nist_800_53_rev_4_ir_6_1", "benchmark.nist_800_53_rev_4_ir_7_1", "benchmark.nist_800_53_rev_4_ra_5", "benchmark.nist_800_53_rev_4_cm_2", "benchmark.nist_800_53_rev_4_cm_7", "benchmark.nist_800_53_rev_4_cm_8_1", "benchmark.nist_800_53_rev_4_cm_8_3", "benchmark.nist_800_53_rev_4_au_2", "benchmark.nist_800_53_rev_4_au_3", "benchmark.nist_800_53_rev_4_au_6_1", "benchmark.nist_800_53_rev_4_au_6_3", "benchmark.nist_800_53_rev_4_au_7_1", "benchmark.nist_800_53_rev_4_au_9", "benchmark.nist_800_53_rev_4_au_11", "benchmark.nist_800_53_rev_4_au_12", "benchmark.nist_800_53_rev_4_ia_2", "benchmark.nist_800_53_rev_4_ia_5_1", "benchmark.nist_800_53_rev_4_ia_5_4", "benchmark.nist_800_53_rev_4_ia_5_7"},
+		"pci":   []string{"control.pci_v321_config_1", "control.pci_v321_dms_1", "control.pci_v321_sagemaker_1", "control.pci_v321_rds_1", "control.pci_v321_rds_2", "control.pci_v321_lambda_1", "control.pci_v321_lambda_2", "control.pci_v321_es_1", "control.pci_v321_es_2", "control.pci_v321_redshift_1", "control.pci_v321_cw_1", "control.pci_v321_elbv2_1", "control.pci_v321_kms_1", "control.pci_v321_ssm_1", "control.pci_v321_ssm_2", "control.pci_v321_ssm_3", "control.pci_v321_codebuild_1", "control.pci_v321_codebuild_2", "control.pci_v321_opensearch_1", "control.pci_v321_opensearch_2", "control.pci_v321_s3_1", "control.pci_v321_s3_2", "control.pci_v321_s3_3", "control.pci_v321_s3_4", "control.pci_v321_s3_5", "control.pci_v321_s3_6", "control.pci_v321_autoscaling_1", "control.pci_v321_cloudtrail_1", "control.pci_v321_cloudtrail_2", "control.pci_v321_cloudtrail_3", "control.pci_v321_cloudtrail_4", "control.pci_v321_guardduty_1", "control.pci_v321_iam_1", "control.pci_v321_iam_2", "control.pci_v321_iam_3", "control.pci_v321_iam_4", "control.pci_v321_iam_5", "control.pci_v321_iam_6", "control.pci_v321_iam_7", "control.pci_v321_iam_8", "control.pci_v321_ec2_1", "control.pci_v321_ec2_2", "control.pci_v321_ec2_3", "control.pci_v321_ec2_4", "control.pci_v321_ec2_5", "control.pci_v321_ec2_6"},
+		"soc2":  []string{"benchmark.soc_2_cc_5_1", "benchmark.soc_2_cc_5_2", "benchmark.soc_2_cc_5_3", "benchmark.soc_2_p_2_1", "benchmark.soc_2_p_6_1", "benchmark.soc_2_p_6_2", "benchmark.soc_2_p_6_3", "benchmark.soc_2_p_6_4", "benchmark.soc_2_p_6_5", "benchmark.soc_2_p_6_6", "benchmark.soc_2_p_6_7", "benchmark.soc_2_cc_4_1", "benchmark.soc_2_cc_4_2", "benchmark.soc_2_p_4_1", "benchmark.soc_2_p_4_2", "benchmark.soc_2_p_4_3", "benchmark.soc_2_cc_8_1", "benchmark.soc_2_p_8_1", "benchmark.soc_2_p_3_1", "benchmark.soc_2_p_3_2", "benchmark.soc_2_cc_1_1", "benchmark.soc_2_cc_1_2", "benchmark.soc_2_cc_1_3", "benchmark.soc_2_cc_1_4", "benchmark.soc_2_cc_1_5", "benchmark.soc_2_cc_a_1_1", "benchmark.soc_2_cc_a_1_2", "benchmark.soc_2_cc_a_1_3", "benchmark.soc_2_p_7_1", "benchmark.soc_2_p_1_1", "benchmark.soc_2_cc_9_1", "benchmark.soc_2_cc_9_2", "benchmark.soc_2_cc_2_1", "benchmark.soc_2_cc_2_2", "benchmark.soc_2_cc_2_3", "benchmark.soc_2_cc_6_1", "benchmark.soc_2_cc_6_2", "benchmark.soc_2_cc_6_3", "benchmark.soc_2_cc_6_4", "benchmark.soc_2_cc_6_5", "benchmark.soc_2_cc_6_6", "benchmark.soc_2_cc_6_7", "benchmark.soc_2_cc_6_8", "benchmark.soc_2_p_5_1", "benchmark.soc_2_p_5_2", "benchmark.soc_2_cc_3_1", "benchmark.soc_2_cc_3_2", "benchmark.soc_2_cc_3_3", "benchmark.soc_2_cc_3_4", "benchmark.soc_2_cc_c_1_1", "benchmark.soc_2_cc_c_1_2", "benchmark.soc_2_cc_7_1", "benchmark.soc_2_cc_7_2", "benchmark.soc_2_cc_7_3", "benchmark.soc_2_cc_7_4", "benchmark.soc_2_cc_7_5"},
+	}
+)
+
 func (h *Handler) RegisterCloudNodeAccountHandler(w http.ResponseWriter, r *http.Request) {
 	req, err := extractCloudNodeDetails(w, r)
 	if err != nil {
@@ -60,15 +71,17 @@ func (h *Handler) RegisterCloudNodeAccountHandler(w http.ResponseWriter, r *http
 			if err != nil {
 				complianceError(w, err.Error())
 			}
-			pendingScansList, err := reporters.GetPendingScansList(ctx, utils.CLOUD_COMPLIANCE_SCAN, monitoredNodeId)
+			pendingScansList, err := reporters.GetCloudCompliancePendingScansList(ctx, utils.NEO4J_CLOUD_COMPLIANCE_SCAN, monitoredNodeId)
 			if err != nil {
 				continue
 			}
 			for _, scan := range pendingScansList.ScansInfo {
+				controls, _ := AWS_DEFAULT_CONTROLS[scan.BenchmarkType]
 				scanDetail := model.CloudComplianceScanDetails{
 					ScanId:    scan.ScanId,
-					ScanType:  "cis",
+					ScanType:  scan.BenchmarkType,
 					AccountId: monitoredNodeId,
+					Controls:  controls,
 				}
 				scanList[scan.ScanId] = scanDetail
 			}
@@ -86,7 +99,7 @@ func (h *Handler) RegisterCloudNodeAccountHandler(w http.ResponseWriter, r *http
 			logrus.Infof("Error while upserting node: %+v", err)
 			complianceError(w, err.Error())
 		}
-		pendingScansList, err := reporters.GetPendingScansList(ctx, utils.CLOUD_COMPLIANCE_SCAN, nodeId)
+		pendingScansList, err := reporters.GetCloudCompliancePendingScansList(ctx, utils.NEO4J_CLOUD_COMPLIANCE_SCAN, nodeId)
 		if err != nil || len(pendingScansList.ScansInfo) == 0 {
 			logrus.Debugf("No pending scans found for node id: %s", nodeId)
 			httpext.JSON(w, http.StatusOK,
@@ -95,10 +108,12 @@ func (h *Handler) RegisterCloudNodeAccountHandler(w http.ResponseWriter, r *http
 			return
 		}
 		for _, scan := range pendingScansList.ScansInfo {
+			controls, _ := AWS_DEFAULT_CONTROLS[scan.BenchmarkType]
 			scanDetail := model.CloudComplianceScanDetails{
 				ScanId:    scan.ScanId,
-				ScanType:  utils.CLOUD_COMPLIANCE_SCAN,
-				AccountId: nodeId,
+				ScanType:  scan.BenchmarkType,
+				AccountId: req.CloudAccount,
+				Controls:  controls,
 			}
 			scanList[scan.ScanId] = scanDetail
 		}

diff --git a/deepfence_server/handler/scan_reports.go b/deepfence_server/handler/scan_reports.go
@@ -208,8 +208,8 @@ func (h *Handler) StartSecretScanHandler(w http.ResponseWriter, r *http.Request)
 }
 
 func (h *Handler) StartComplianceScanHandler(w http.ResponseWriter, r *http.Request) {
-	var reqq model.ComplianceScanTriggerReq
-	err := httpext.DecodeJSON(r, httpext.NoQueryParams, MaxPostRequestSize, &reqq)
+	var req model.ComplianceScanTriggerReq
+	err := httpext.DecodeJSON(r, httpext.NoQueryParams, MaxPostRequestSize, &req)
 	if err != nil {
 		log.Error().Msgf("%v", err)
 		respondError(&BadDecoding{err}, w)
@@ -232,7 +232,7 @@ func (h *Handler) StartComplianceScanHandler(w http.ResponseWriter, r *http.Requ
 }
 
 func (h *Handler) StartMalwareScanHandler(w http.ResponseWriter, r *http.Request) {
-	var reqs model.ComplianceScanTriggerReq
+	var reqs model.MalwareScanTriggerReq
 	err := httpext.DecodeJSON(r, httpext.NoQueryParams, MaxPostRequestSize, &reqs)
 	if err != nil {
 		log.Error().Msgf("%v", err)
@@ -290,15 +290,27 @@ func (h *Handler) StartMalwareScanHandler(w http.ResponseWriter, r *http.Request
 }
 
 func (h *Handler) StartCloudComplianceScanHandler(w http.ResponseWriter, r *http.Request) {
-	var reqs model.CloudComplianceScanTriggerReq
+	var reqs model.ComplianceScanTriggerReq
 	err := httpext.DecodeJSON(r, httpext.NoQueryParams, MaxPostRequestSize, &reqs)
 	if err != nil {
 		log.Error().Msgf("%v", err)
 		respondError(&BadDecoding{err}, w)
 		return
 	}
 
-	scanIds, bulkId, err := startMultiCloudComplianceScan(r.Context(), reqs.ScanTriggers)
+	var scanTrigger model.ComplianceScanTrigger
+	if len(reqs.ScanTriggers) > 0 {
+		scanTrigger = reqs.ScanTriggers[0]
+	}
+
+	var scanIds []string
+	var bulkId string
+	if scanTrigger.NodeType == reporters.CLOUD_AWS || scanTrigger.NodeType == reporters.CLOUD_GCP || scanTrigger.NodeType == reporters.CLOUD_AZURE {
+		scanIds, bulkId, err = startMultiCloudComplianceScan(r.Context(), reqs.ScanTriggers)
+	} else {
+		scanIds, bulkId, err = startMultiComplianceScan(r.Context(), reqs.ScanTriggers)
+	}
+
 	if err != nil {
 		log.Error().Msgf("%v", err)
 		respondError(err, w)
@@ -470,6 +482,11 @@ func (h *Handler) IngestMalwareScanStatusReportHandler(w http.ResponseWriter, r
 	ingest_scan_report_kafka(w, r, ingester, h.IngestChan)
 }
 
+func (h *Handler) IngestCloudComplianceScanStatusReportHandler(w http.ResponseWriter, r *http.Request) {
+	ingester := ingesters.NewCloudComplianceScanStatusIngester()
+	ingest_scan_report_kafka(w, r, ingester, h.IngestChan)
+}
+
 func ingest_scan_report_kafka[T any](
 	respWrite http.ResponseWriter,
 	req *http.Request,
@@ -519,13 +536,17 @@ func (h *Handler) StatusSecretScanHandler(w http.ResponseWriter, r *http.Request
 }
 
 func (h *Handler) StatusComplianceScanHandler(w http.ResponseWriter, r *http.Request) {
-	statusScanHandler(w, r, utils.NEO4J_COMPLIANCE_SCAN)
+	complianceStatusScanHandler(w, r, utils.NEO4J_COMPLIANCE_SCAN)
 }
 
 func (h *Handler) StatusMalwareScanHandler(w http.ResponseWriter, r *http.Request) {
 	statusScanHandler(w, r, utils.NEO4J_MALWARE_SCAN)
 }
 
+func (h *Handler) StatusCloudComplianceScanHandler(w http.ResponseWriter, r *http.Request) {
+	complianceStatusScanHandler(w, r, utils.NEO4J_CLOUD_COMPLIANCE_SCAN)
+}
+
 func statusScanHandler(w http.ResponseWriter, r *http.Request, scan_type utils.Neo4jScanType) {
 	defer r.Body.Close()
 	var req model.ScanStatusReq
@@ -556,6 +577,32 @@ func statusScanHandler(w http.ResponseWriter, r *http.Request, scan_type utils.N
 	httpext.JSON(w, http.StatusOK, statuses)
 }
 
+func complianceStatusScanHandler(w http.ResponseWriter, r *http.Request, scan_type utils.Neo4jScanType) {
+	defer r.Body.Close()
+	var req model.ScanStatusReq
+	err := httpext.DecodeQueryParams(r, &req)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		respondError(&BadDecoding{err}, w)
+		return
+	}
+
+	var statuses model.ComplianceScanStatusResp
+	if req.BulkScanId != "" {
+		statuses, err = reporters.GetComplianceBulkScans(r.Context(), scan_type, req.BulkScanId)
+	} else {
+		statuses, err = reporters.GetComplianceScanStatus(r.Context(), scan_type, req.ScanIds)
+	}
+
+	if err != nil {
+		log.Error().Msgf("%v, req=%v", err, req)
+		respondError(err, w)
+		return
+	}
+
+	httpext.JSON(w, http.StatusOK, statuses)
+}
+
 func (h *Handler) ListVulnerabilityScansHandler(w http.ResponseWriter, r *http.Request) {
 	listScansHandler(w, r, utils.NEO4J_VULNERABILITY_SCAN)
 }
@@ -811,7 +858,7 @@ func startMultiScan(ctx context.Context, gen_bulk_id bool, scan_type utils.Neo4j
 	return scanIds, bulkId, tx.Commit()
 }
 
-func startMultiCloudComplianceScan(ctx context.Context, reqs []model.CloudComplianceScanTrigger) ([]string, string, error) {
+func startMultiCloudComplianceScan(ctx context.Context, reqs []model.ComplianceScanTrigger) ([]string, string, error) {
 	driver, err := directory.Neo4jClient(ctx)
 
 	if err != nil {
@@ -864,3 +911,14 @@ func startMultiCloudComplianceScan(ctx context.Context, reqs []model.CloudCompli
 
 	return scanIds, bulkId, tx.Commit()
 }
+
+func startMultiComplianceScan(ctx context.Context, reqs []model.ComplianceScanTrigger) ([]string, string, error) {
+	scanIds := []string{}
+	bulkId := bulkScanId()
+	for _, req := range reqs {
+		for _, benchmarkType := range req.BenchmarkTypes {
+			scanIds = append(scanIds, cloudComplianceScanId(req.NodeId, benchmarkType))
+		}
+	}
+	return scanIds, bulkId, nil
+}
diff --git a/deepfence_server/ingesters/cloud_compliance_ingester.go b/deepfence_server/ingesters/cloud_compliance_ingester.go
@@ -47,3 +47,39 @@ func (tc *CloudComplianceIngester) Ingest(
 
 	return nil
 }
+
+type CloudComplianceScanStatusIngester struct{}
+
+func NewCloudComplianceScanStatusIngester() KafkaIngester[ingesters.CloudComplianceScanStatus] {
+	return &CloudComplianceScanStatusIngester{}
+}
+
+func (tc *CloudComplianceScanStatusIngester) Ingest(
+	ctx context.Context,
+	cs ingesters.CloudComplianceScanStatus,
+	ingestC chan *kgo.Record,
+) error {
+
+	tenantID, err := directory.ExtractNamespace(ctx)
+	if err != nil {
+		return err
+	}
+
+	rh := []kgo.RecordHeader{
+		{Key: "tenant_id", Value: []byte(tenantID)},
+	}
+
+	cb, err := json.Marshal(cs)
+	if err != nil {
+		log.Error().Msg(err.Error())
+	} else {
+		ingestC <- &kgo.Record{
+			Topic:   utils.CLOUD_COMPLIANCE_SCAN_STATUS,
+			Value:   cb,
+			Headers: rh,
+		}
+	}
+
+	return nil
+
+}
diff --git a/deepfence_server/model/cloud_node.go b/deepfence_server/model/cloud_node.go
@@ -50,9 +50,10 @@ type CloudNodeAccountInfo struct {
 }
 
 type CloudComplianceScanDetails struct {
-	ScanId    string `json:"scan_id"`
-	ScanType  string `json:"scan_type"`
-	AccountId string `json:"account_id"`
+	ScanId    string   `json:"scan_id"`
+	ScanType  string   `json:"scan_type"`
+	AccountId string   `json:"account_id"`
+	Controls  []string `json:"controls"`
 }
 
 type CloudNodeCloudtrailTrail struct {