paloalto-sec-inspector -- Architecture Specification
1. Overview
Palo Alto Networks is a leading cybersecurity platform that provides network security (PAN-OS firewalls and Panorama), cloud security (Prisma Cloud CSPM/CWPP/CIEM), and security operations (Cortex XSIAM/XSOAR). Organizations operating in regulated industries depend on Palo Alto products to enforce network segmentation, threat prevention, encryption policies, workload protection, and cloud security posture management.
paloalto-sec-inspector is a security compliance inspector that programmatically audits Palo Alto Networks environments across three primary surfaces:
- Prisma Cloud CSPM -- Cloud Security Posture Management: compliance posture, policy enforcement, alert configuration, IAM analysis, asset inventory, and cloud account governance.
- Prisma Cloud CWPP -- Cloud Workload Protection Platform: container image vulnerabilities, host compliance, runtime defense policies, defender deployment, and registry scanning.
- PAN-OS Firewalls / Panorama -- Network security device configuration: security rules, zone segmentation, threat prevention profiles, SSL/TLS decryption, GlobalProtect VPN, WildFire analysis, URL filtering, admin roles, and logging.
The tool produces compliance-mapped audit reports against FedRAMP, CMMC 2.0, SOC 2, CIS Benchmarks, PCI-DSS 4.0, DISA STIG, IRAP, and ISMAP frameworks.
2. APIs & SDKs
2.1 Prisma Cloud CSPM API
Base URL: https://api<N>.prismacloud.io (region-dependent; check Administration > API URLs in console)
| Category | Key Endpoints | Method |
|---|---|---|
| Authentication | /login |
POST |
| Alerts | /alert, /v2/alert, /alert/policy |
GET/POST |
| Compliance Posture | /compliance/posture, /compliance/posture/trend, /compliance/posture/{complianceId} |
GET/POST |
| Compliance Standards | /compliance, /compliance/{complianceId}/requirement, /compliance/{complianceId}/requirement/{requirementId}/section |
GET |
| Asset Inventory | /v2/inventory, /filter/inventory, /inventory/trend |
GET/POST |
| Cloud Accounts | /cloud, /cloud/{cloudType}/{id}, /cloud/name |
GET/POST/PUT |
| IAM | /api/v1/permission, /api/v1/permission/access, /iam/query |
GET/POST |
| Policy | /policy, /v2/policy, /policy/{policyId} |
GET/POST/PUT/DELETE |
| Settings | /settings/{type}, /ip_allowlist_login |
GET/PUT |
| User Roles | /user/role, /user/role/{id} |
GET/POST/PUT/DELETE |
| Resource Scan Info | /resource/scan_info |
POST |
| Reports | /report, /report/{id}/download |
GET/POST |
| Vulnerabilities Dashboard | /v2/vulnerabilities/dashboard |
POST |
| Integrations | /integration, /integration/{id} |
GET/POST/PUT/DELETE |
| Audit Logs | /audit/redlock, /audit/logs |
GET |
| Account Groups | /cloud/group, /cloud/group/{id} |
GET/POST/PUT/DELETE |
2.2 Prisma Cloud CWPP (Compute) API
Base URL: https://<CONSOLE>/api/v<VERSION> (port 8083 for self-hosted; SaaS path from CSPM console)
| Category | Key Endpoints | Method |
|---|---|---|
| Authentication | /api/v1/authenticate (or use CSPM JWT) |
POST |
| Images | /images, /images/names, /images/scan |
GET/POST |
| Containers | /containers, /containers/scan, /containers/count |
GET/POST |
| Hosts | /hosts, /hosts/scan, /hosts/info |
GET/POST |
| Vulnerabilities | /stats/vulnerabilities, /vms, /serverless |
GET |
| Compliance | /compliance, /compliance/download, /compliance/progress |
GET |
| Defenders | /defenders, /defenders/summary, /defenders/names |
GET |
| Runtime | /audits/runtime/container, /audits/runtime/host, /policies/runtime/container |
GET |
| Registry | /registry, /registry/scan, /registry/names |
GET/POST |
| Policies | /policies/compliance/container, /policies/compliance/host, /policies/vulnerability/images |
GET/PUT |
| Collections | /collections, /collections/{id} |
GET/POST/PUT/DELETE |
| CI/CD Scans | /scans, /scans/{id} |
GET |
| Custom Rules | /custom-rules, /custom-rules/{id} |
GET/POST/PUT/DELETE |
| Cloud Discovery | /cloud/discovery, /cloud/discovery/entities |
GET |
| Trust | /trust/data |
GET |
| Settings | /settings/system, /settings/defender |
GET/PUT |
2.3 PAN-OS XML API (Firewalls & Panorama)
Base URL: https://<FIREWALL_IP>/api/ or https://<PANORAMA_IP>/api/
| Request Type | Action | Description |
|---|---|---|
type=config |
action=get |
Retrieve running/candidate configuration XPath |
type=config |
action=show |
Show active configuration XPath |
type=config |
action=set |
Set configuration element |
type=config |
action=edit |
Replace configuration element |
type=config |
action=delete |
Delete configuration element |
type=op |
N/A | Execute operational mode command |
type=report |
N/A | Generate/retrieve reports |
type=log |
log-type=traffic/threat/system/config/url |
Retrieve log entries |
type=export |
N/A | Export configuration, certificates, logs |
type=import |
N/A | Import configuration, certificates |
type=user-id |
N/A | User-ID agent operations |
type=commit |
N/A | Commit candidate configuration |
type=keygen |
N/A | Generate API key |
Key Configuration XPaths (for audit):
| XPath | What It Returns |
|---|---|
/config/devices/entry/vsys/entry/rulebase/security/rules |
Security policy rules |
/config/devices/entry/vsys/entry/zone |
Zone configuration |
/config/devices/entry/vsys/entry/profiles/virus |
Antivirus profiles |
/config/devices/entry/vsys/entry/profiles/spyware |
Anti-spyware profiles |
/config/devices/entry/vsys/entry/profiles/vulnerability |
Vulnerability protection profiles |
/config/devices/entry/vsys/entry/profiles/url-filtering |
URL filtering profiles |
/config/devices/entry/vsys/entry/profiles/file-blocking |
File blocking profiles |
/config/devices/entry/vsys/entry/profiles/wildfire-analysis |
WildFire analysis profiles |
/config/devices/entry/vsys/entry/profile-group |
Security profile groups |
/config/shared/ssl-tls-service-profile |
SSL/TLS service profiles |
/config/shared/ssl-decrypt |
SSL decryption rules |
/config/devices/entry/vsys/entry/rulebase/decryption/rules |
Decryption policy rules |
/config/shared/global-protect |
GlobalProtect configuration |
/config/shared/log-settings |
Logging configuration |
/config/mgt-config/users |
Admin user accounts |
/config/devices/entry/deviceconfig/system |
System settings (NTP, DNS, banners) |
/config/devices/entry/deviceconfig/setting |
Device settings (idle timeout, etc.) |
2.4 PAN-OS REST API (PAN-OS 9.0+)
Base URL: https://<FIREWALL_IP>/restapi/v<VERSION>/
| Endpoint | Description |
|---|---|
/restapi/v10.2/Objects/Addresses |
Address objects |
/restapi/v10.2/Objects/AddressGroups |
Address groups |
/restapi/v10.2/Policies/SecurityRules |
Security policy rules |
/restapi/v10.2/Policies/NATRules |
NAT rules |
/restapi/v10.2/Policies/DecryptionRules |
Decryption rules |
/restapi/v10.2/Network/Zones |
Network zones |
/restapi/v10.2/Network/Interfaces |
Network interfaces |
/restapi/v10.2/Device/Administrators |
Admin accounts |
/restapi/v10.2/Device/SystemSettings |
System settings |
2.5 SDKs and CLIs
| Tool | Language | Description |
|---|---|---|
pan-os-python |
Python | Official PAN-OS SDK; classes for Firewall, Panorama, SecurityRule, Zone, AddressObject, SecurityProfileGroup |
prismacloud-api (PyPI) |
Python | Official Prisma Cloud SDK for CSPM, CWPP, and CCS APIs |
pango |
Go | Community PAN-OS SDK for Go |
prismacloud-cli |
Python | CLI tool wrapping Prisma Cloud APIs |
pan-python |
Python | Low-level PAN-OS and WildFire API library |
Terraform Provider panos |
HCL/Go | Infrastructure as Code for PAN-OS |
Terraform Provider prismacloud |
HCL/Go | IaC for Prisma Cloud |
| Checkov | Python | Open-source IaC scanner (Bridgecrew / Prisma Cloud) with 750+ policies |
3. Authentication
3.1 Prisma Cloud (CSPM + CWPP)
| Parameter | Source | Description |
|---|---|---|
PRISMA_API_URL |
Env var | Tenant API base URL (e.g., https://api2.prismacloud.io) |
PRISMA_ACCESS_KEY_ID |
Env var | Access Key ID generated in Settings > Access Keys |
PRISMA_SECRET_KEY |
Env var | Corresponding secret key |
Flow:
- POST
{PRISMA_API_URL}/loginwith{"username": "<ACCESS_KEY_ID>", "password": "<SECRET_KEY>"}. - Response returns a JWT token (valid 10 minutes).
- Include
x-redlock-auth: <JWT>header on subsequent CSPM requests. - For CWPP/Compute, use the same JWT or authenticate separately at the Compute console endpoint.
3.2 PAN-OS (Firewall / Panorama)
| Parameter | Source | Description |
|---|---|---|
PANOS_HOST |
Env var | Firewall or Panorama management IP/hostname |
PANOS_API_KEY |
Env var | Pre-generated API key |
PANOS_USERNAME |
Env var (alt) | Admin username (for key generation) |
PANOS_PASSWORD |
Env var (alt) | Admin password (for key generation) |
Flow (API Key):
- Generate key: GET
https://<HOST>/api/?type=keygen&user=<USER>&password=<PASS>. - Response XML contains
<key>LUFRPT...</key>. - Include
key=<API_KEY>query parameter on all subsequent requests.
Flow (pan-os-python SDK):
from panos.firewall import Firewall
fw = Firewall('10.0.0.1', api_key='LUFRPT...')
# or
fw = Firewall('10.0.0.1', 'admin', 'password')
4. Security Controls
| # | Control Name | Description | API Source |
|---|---|---|---|
| 1 | CSPM Compliance Posture | Verify overall compliance scores across enabled standards (CIS, NIST, SOC 2, PCI-DSS, HIPAA) | CSPM: /compliance/posture |
| 2 | Alert Policy Coverage | Ensure critical alert rules are enabled and not dismissed; verify alert rule severity mappings | CSPM: /alert/policy, /v2/alert |
| 3 | IAM Overprivileged Access | Identify overprivileged IAM entities across cloud accounts using effective permissions analysis | CSPM: /api/v1/permission, /iam/query |
| 4 | Cloud Account Governance | Verify all cloud accounts are onboarded, monitored, and assigned to account groups | CSPM: /cloud, /cloud/group |
| 5 | Network Exposure Analysis | Detect publicly exposed resources, unrestricted security groups, and open ports | CSPM: /v2/inventory, policy rules |
| 6 | Encryption-at-Rest Verification | Confirm storage volumes, databases, and object stores use encryption with customer-managed keys | CSPM: compliance policies |
| 7 | Container Image Vulnerability | Scan deployed and registry container images for critical/high CVEs and ensure thresholds are enforced | CWPP: /images, /stats/vulnerabilities |
| 8 | Host Compliance Posture | Verify CIS benchmark compliance for Linux/Windows hosts monitored by Defenders | CWPP: /compliance, /hosts |
| 9 | Runtime Protection Policies | Confirm runtime defense policies are enabled for containers and hosts (process, network, filesystem) | CWPP: /policies/runtime/container, /audits/runtime |
| 10 | Defender Deployment Coverage | Ensure Defenders are deployed on all hosts/clusters and are connected and up-to-date | CWPP: /defenders, /defenders/summary |
| 11 | Registry Scanning Configuration | Verify container registries are configured for periodic scanning with vulnerability thresholds | CWPP: /registry, /settings/registry |
| 12 | Firewall Security Rule Audit | Analyze security rules for overly permissive rules (any/any), shadowed rules, and missing logging | PAN-OS: /rulebase/security/rules |
| 13 | Zone Segmentation Verification | Confirm proper zone architecture: inter-zone rules enforce least privilege, intra-zone traffic is denied by default | PAN-OS: /zone, /rulebase/security/rules |
| 14 | SSL/TLS Decryption Coverage | Verify decryption policies cover required traffic categories; audit certificate configuration and exemptions | PAN-OS: /rulebase/decryption/rules, /ssl-decrypt |
| 15 | GlobalProtect VPN Configuration | Audit portal/gateway config: MFA, certificate auth, HIP profiles, split-tunnel policies, idle timeout | PAN-OS: /global-protect |
| 16 | Threat Prevention Profiles | Verify antivirus, anti-spyware, and vulnerability protection profiles use strict/best-practice settings and are applied to all rules | PAN-OS: /profiles/virus, /profiles/spyware, /profiles/vulnerability |
| 17 | WildFire Analysis Configuration | Confirm WildFire profiles forward all file types, all applications; verify WildFire cloud connectivity | PAN-OS: /profiles/wildfire-analysis |
| 18 | URL Filtering Enforcement | Validate URL filtering profiles block high-risk categories; check credential phishing protections | PAN-OS: /profiles/url-filtering |
| 19 | Admin Role & Access Audit | Verify least-privilege admin roles, enforce MFA for admin access, check password complexity, audit superuser count | PAN-OS: /mgt-config/users; CSPM: /user/role |
| 20 | Logging & SIEM Integration | Confirm all rules log at session end/start, syslog/Panorama forwarding is configured, log retention meets requirements | PAN-OS: /log-settings; CSPM: /integration |
| 21 | Data Loss Prevention | Verify DLP policies are configured for sensitive data patterns in Prisma Cloud and file blocking on PAN-OS | CSPM: DLP policies; PAN-OS: /profiles/file-blocking |
| 22 | File Blocking Policies | Ensure dangerous file types (PE, ELF, scripts) are blocked across all zones | PAN-OS: /profiles/file-blocking |
| 23 | System Hardening | Verify NTP sync, DNS settings, login banner, idle timeout, SNMP community strings, permitted IPs for management | PAN-OS: /deviceconfig/system, /deviceconfig/setting |
| 24 | Cloud Discovery & Shadow IT | Detect unprotected cloud assets, unmanaged registries, and serverless functions not covered by Defenders | CWPP: /cloud/discovery |
| 25 | CI/CD Pipeline Security | Verify CI/CD image scanning is integrated, vulnerability gates are enforced, and admission control is configured | CWPP: /scans, admission policies |
5. Compliance Framework Mappings
| # | Control | FedRAMP | CMMC 2.0 | SOC 2 | CIS | PCI-DSS 4.0 | DISA STIG | IRAP | ISMAP |
|---|---|---|---|---|---|---|---|---|---|
| 1 | CSPM Compliance Posture | CA-7, RA-5 | C.2.4, C.3.4 | CC7.1 | CIS CSC 4 | 6.3, 11.3 | V-XXXXX | ISM-1526 | 8.1.1 |
| 2 | Alert Policy Coverage | SI-4, IR-5 | C.2.1, C.5.3 | CC7.2, CC7.3 | CIS CSC 6 | 10.4, 12.10 | V-XXXXX | ISM-0120 | 8.2.1 |
| 3 | IAM Overprivileged Access | AC-6, AC-2 | C.1.1, C.1.4 | CC6.1, CC6.3 | CIS CSC 5, 6 | 7.1, 7.2 | V-XXXXX | ISM-1506 | 6.1.1 |
| 4 | Cloud Account Governance | CA-2, CM-8 | C.2.2, C.4.1 | CC6.6, CC8.1 | CIS CSC 1 | 2.4, 12.5 | V-XXXXX | ISM-1555 | 4.1.1 |
| 5 | Network Exposure Analysis | SC-7, AC-4 | C.3.13, C.4.6 | CC6.1, CC6.6 | CIS CSC 9, 12 | 1.2, 1.3 | V-XXXXX | ISM-1416 | 7.1.1 |
| 6 | Encryption at Rest | SC-28, SC-12 | C.3.8, C.3.10 | CC6.1, CC6.7 | CIS CSC 3 | 3.4, 3.5 | V-XXXXX | ISM-0457 | 7.2.1 |
| 7 | Container Image Vuln | RA-5, SI-2 | C.3.4, C.5.2 | CC7.1 | CIS CSC 7 | 6.3, 11.3 | V-XXXXX | ISM-1143 | 8.1.2 |
| 8 | Host Compliance Posture | CM-6, CM-2 | C.2.3, C.3.1 | CC6.1, CC8.1 | CIS CSC 4 | 2.2, 2.3 | V-XXXXX | ISM-1407 | 5.1.1 |
| 9 | Runtime Protection | SI-4, SI-7 | C.5.3, C.5.2 | CC7.2 | CIS CSC 8 | 11.5 | V-XXXXX | ISM-1233 | 8.3.1 |
| 10 | Defender Deployment | SI-4, CM-8 | C.2.4, C.5.1 | CC6.1, CC7.1 | CIS CSC 1, 2 | 11.4 | V-XXXXX | ISM-1034 | 8.1.3 |
| 11 | Registry Scanning | RA-5, CM-3 | C.3.4, C.5.2 | CC7.1, CC8.1 | CIS CSC 7 | 6.3 | V-XXXXX | ISM-1143 | 8.1.4 |
| 12 | Firewall Rule Audit | AC-4, SC-7 | C.3.13, C.4.6 | CC6.1, CC6.6 | CIS CSC 9 | 1.2, 1.3 | V-207184 | ISM-1416 | 7.1.2 |
| 13 | Zone Segmentation | SC-7, AC-4 | C.3.12, C.3.13 | CC6.1, CC6.6 | CIS CSC 12 | 1.2, 1.4 | V-207187 | ISM-1181 | 7.1.3 |
| 14 | SSL/TLS Decryption | SC-8, SI-4 | C.3.8, C.5.3 | CC6.1, CC6.7 | CIS CSC 9 | 4.1, 4.2 | V-207190 | ISM-0490 | 7.2.2 |
| 15 | GlobalProtect Config | IA-2, AC-17 | C.1.1, C.3.7 | CC6.1, CC6.2 | CIS CSC 13 | 8.3, 8.4 | V-207193 | ISM-1504 | 6.2.1 |
| 16 | Threat Prevention | SI-3, SI-4 | C.5.2, C.5.3 | CC6.8, CC7.1 | CIS CSC 8, 10 | 5.2, 5.3 | V-207196 | ISM-1288 | 8.2.2 |
| 17 | WildFire Analysis | SI-3, SI-4 | C.5.2, C.5.3 | CC6.8, CC7.1 | CIS CSC 8, 10 | 5.2 | V-207199 | ISM-1288 | 8.2.3 |
| 18 | URL Filtering | SC-7, SI-4 | C.3.13, C.5.3 | CC6.1, CC6.8 | CIS CSC 9 | 1.2, 6.2 | V-207202 | ISM-0261 | 7.3.1 |
| 19 | Admin Role Audit | AC-2, AC-6 | C.1.1, C.1.4 | CC6.1, CC6.3 | CIS CSC 5, 6 | 7.1, 8.2 | V-207205 | ISM-1506 | 6.1.2 |
| 20 | Logging & SIEM | AU-2, AU-6 | C.3.1, C.3.3 | CC7.2, CC7.3 | CIS CSC 6, 8 | 10.1, 10.2 | V-207208 | ISM-0580 | 8.4.1 |
| 21 | Data Loss Prevention | SC-28, SI-4 | C.3.8, C.5.3 | CC6.1, CC6.7 | CIS CSC 3 | 3.4, 3.5 | V-XXXXX | ISM-0457 | 7.2.3 |
| 22 | File Blocking | SI-3, SC-7 | C.5.2, C.5.3 | CC6.8 | CIS CSC 8, 10 | 5.2 | V-XXXXX | ISM-1288 | 8.2.4 |
| 23 | System Hardening | CM-6, CM-7 | C.2.3, C.3.1 | CC6.1, CC8.1 | CIS CSC 4 | 2.2, 2.3 | V-207211 | ISM-0380 | 5.1.2 |
| 24 | Cloud Discovery | CM-8, RA-5 | C.2.2, C.2.4 | CC6.1, CC7.1 | CIS CSC 1 | 11.2 | V-XXXXX | ISM-1034 | 4.1.2 |
| 25 | CI/CD Pipeline Security | SA-11, CM-3 | C.3.4, C.5.2 | CC8.1 | CIS CSC 7 | 6.3, 6.5 | V-XXXXX | ISM-1143 | 9.1.1 |
6. Existing Tools
| Tool | Description | Relevance |
|---|---|---|
| Checkov | Open-source IaC security scanner by Bridgecrew (now Prisma Cloud); 750+ built-in policies for Terraform, CloudFormation, Kubernetes, Docker | Reference for CSPM policy logic; can be invoked alongside paloalto-sec-inspector for IaC scanning |
| ScoutSuite | Multi-cloud security auditing tool by NCC Group; generates HTML reports from API-gathered cloud configuration data | Reference for cloud posture data collection patterns and report generation |
| pan-os-python | Official PAN-OS SDK for Python; object model for Firewall, Panorama, SecurityRule, Zone, etc. | Primary SDK for PAN-OS configuration auditing; use as data collection layer |
| prismacloud-api-python | Official Prisma Cloud Python SDK for CSPM, CWPP, and CCS APIs with reference scripts | SDK for Prisma Cloud data collection |
| prismacloud-cli | CLI tool wrapping Prisma Cloud APIs for operational workflows | Reference for CLI patterns and API interaction |
| pango | Go library for PAN-OS (community/Palo Alto); alternative to pan-os-python for Go implementations | Potential Go SDK for PAN-OS auditing if building in Go |
| Iron-Skillet | Day-one security best practice configuration templates for PAN-OS | Reference for security baseline comparison |
7. Architecture
The project mirrors the structure of okta-inspector:
paloalto-sec-inspector/
├── spec.md
├── pyproject.toml
├── src/
│ └── paloalto_inspector/
│ ├── __init__.py
│ ├── __main__.py
│ ├── cli.py # Click/Typer CLI entrypoint
│ ├── client.py # API client abstraction (Prisma Cloud + PAN-OS)
│ ├── clients/
│ │ ├── __init__.py
│ │ ├── prisma_cspm.py # Prisma Cloud CSPM API client
│ │ ├── prisma_cwpp.py # Prisma Cloud CWPP/Compute API client
│ │ └── panos.py # PAN-OS XML/REST API client
│ ├── collector.py # Orchestrates data collection across all clients
│ ├── engine.py # Compliance evaluation engine
│ ├── models.py # Data models (controls, findings, severities)
│ ├── output.py # Output formatting (JSON, table, summary)
│ ├── analyzers/
│ │ ├── __init__.py
│ │ ├── base.py # Base analyzer class
│ │ ├── common.py # Shared control evaluation logic
│ │ ├── cspm.py # Prisma Cloud CSPM controls (1-6)
│ │ ├── cwpp.py # Prisma Cloud CWPP controls (7-11, 24-25)
│ │ ├── panos.py # PAN-OS controls (12-18, 21-23)
│ │ ├── cross_platform.py # Cross-platform controls (19-20)
│ │ ├── fedramp.py # FedRAMP-specific evaluation
│ │ ├── cmmc.py # CMMC 2.0-specific evaluation
│ │ ├── soc2.py # SOC 2-specific evaluation
│ │ ├── pci_dss.py # PCI-DSS 4.0-specific evaluation
│ │ ├── stig.py # DISA STIG-specific evaluation
│ │ ├── irap.py # IRAP-specific evaluation
│ │ └── ismap.py # ISMAP-specific evaluation
│ └── reporters/
│ ├── __init__.py
│ ├── base.py # Base reporter class
│ ├── executive.py # Executive summary reporter
│ ├── matrix.py # Cross-framework compliance matrix
│ ├── fedramp.py # FedRAMP SSP-ready output
│ ├── cmmc.py # CMMC assessment report
│ ├── soc2.py # SOC 2 evidence report
│ ├── pci_dss.py # PCI-DSS compliance report
│ ├── stig.py # DISA STIG checklist (CKL format)
│ ├── irap.py # IRAP assessment report
│ ├── ismap.py # ISMAP assessment report
│ └── validation.py # Finding validation and dedup
├── tests/
│ ├── conftest.py
│ ├── test_cspm_analyzer.py
│ ├── test_cwpp_analyzer.py
│ ├── test_panos_analyzer.py
│ ├── test_engine.py
│ └── testdata/
│ ├── prisma_compliance_posture.json
│ ├── prisma_alerts.json
│ ├── cwpp_images.json
│ ├── cwpp_defenders.json
│ ├── panos_security_rules.xml
│ ├── panos_zones.xml
│ └── panos_system_config.xml
└── COPYING
Key design decisions:
- Multiple clients (
clients/subpackage) because the tool interfaces with three distinct APIs (CSPM, CWPP, PAN-OS), each with different auth and transport. - Analyzer per domain (
cspm.py,cwpp.py,panos.py) plus cross-platform analyzers for controls that span APIs (e.g., admin roles exist in both Prisma Cloud and PAN-OS). - Framework-specific analyzers map the 25 controls to specific framework requirements with detailed evidence collection.
- Reporter per framework generates framework-specific output formats (e.g., STIG CKL XML, FedRAMP SSP narrative).
8. CLI Interface
# Full audit across all three surfaces
paloalto-inspector audit \
--prisma-url "$PRISMA_API_URL" \
--prisma-access-key "$PRISMA_ACCESS_KEY_ID" \
--prisma-secret-key "$PRISMA_SECRET_KEY" \
--panos-host "$PANOS_HOST" \
--panos-api-key "$PANOS_API_KEY" \
--format json \
--output report.json
# CSPM-only audit
paloalto-inspector audit --scope cspm \
--prisma-url "$PRISMA_API_URL" \
--prisma-access-key "$PRISMA_ACCESS_KEY_ID" \
--prisma-secret-key "$PRISMA_SECRET_KEY" \
--framework fedramp \
--format table
# CWPP-only audit (containers and hosts)
paloalto-inspector audit --scope cwpp \
--prisma-url "$PRISMA_API_URL" \
--prisma-access-key "$PRISMA_ACCESS_KEY_ID" \
--prisma-secret-key "$PRISMA_SECRET_KEY" \
--controls 7,8,9,10,11
# PAN-OS firewall audit
paloalto-inspector audit --scope panos \
--panos-host 10.0.0.1 \
--panos-api-key "$PANOS_API_KEY" \
--framework stig \
--format stig-ckl \
--output firewall-stig.ckl
# Panorama-managed multi-firewall audit
paloalto-inspector audit --scope panos \
--panos-host panorama.corp.com \
--panos-api-key "$PANOS_API_KEY" \
--panorama \
--device-group "Production-DG" \
--format json
# Generate executive summary
paloalto-inspector report executive \
--input report.json \
--format html
# Generate compliance matrix
paloalto-inspector report matrix \
--input report.json \
--frameworks fedramp,cmmc,pci-dss \
--format csv
# List available controls
paloalto-inspector controls list --scope all
# Validate connectivity
paloalto-inspector test-connection \
--prisma-url "$PRISMA_API_URL" \
--prisma-access-key "$PRISMA_ACCESS_KEY_ID" \
--prisma-secret-key "$PRISMA_SECRET_KEY" \
--panos-host "$PANOS_HOST" \
--panos-api-key "$PANOS_API_KEY"
9. Build Sequence
| Phase | Scope | Deliverables |
|---|---|---|
| Phase 1: Foundation | Project scaffold, models, CLI skeleton | pyproject.toml, models.py, cli.py, engine.py, output.py |
| Phase 2: PAN-OS Client | PAN-OS XML/REST API client, auth, connection test | clients/panos.py, test_connection command |
| Phase 3: PAN-OS Analyzers | Controls 12-18, 21-23 (firewall/Panorama auditing) | analyzers/panos.py, test fixtures, testdata/*.xml |
| Phase 4: Prisma CSPM Client | CSPM API client, JWT auth, compliance posture collection | clients/prisma_cspm.py |
| Phase 5: CSPM Analyzers | Controls 1-6 (cloud posture, IAM, encryption, alerts) | analyzers/cspm.py, testdata/prisma_*.json |
| Phase 6: CWPP Client | Compute API client, image/host/defender collection | clients/prisma_cwpp.py |
| Phase 7: CWPP Analyzers | Controls 7-11, 24-25 (container, host, runtime, CI/CD) | analyzers/cwpp.py, testdata/cwpp_*.json |
| Phase 8: Cross-Platform | Controls 19-20 (admin roles, logging spanning APIs) | analyzers/cross_platform.py |
| Phase 9: Framework Analyzers | Framework-specific mapping and evidence logic | analyzers/{fedramp,cmmc,soc2,pci_dss,stig,irap,ismap}.py |
| Phase 10: Reporters | Framework-specific report generation | reporters/ (all framework reporters, matrix, executive) |
| Phase 11: Testing & Polish | Integration tests, CI pipeline, documentation | tests/, CI config, README |
10. Status
Not yet implemented. Spec only.