Skip to content

feat: Databricks Security Best Practices benchmark#323

Closed
msaad00 wants to merge 1 commit intomainfrom
feat/databricks-cis-benchmark
Closed

feat: Databricks Security Best Practices benchmark#323
msaad00 wants to merge 1 commit intomainfrom
feat/databricks-cis-benchmark

Conversation

@msaad00
Copy link
Owner

@msaad00 msaad00 commented Mar 8, 2026

Summary

  • Adds src/agent_bom/cloud/databricks_cis_benchmark.py with 12 security checks across 5 sections (IAM, Clusters, Data, Audit, Secrets) using the databricks-sdk
  • Adds --databricks-cis-benchmark CLI flag (reads DATABRICKS_HOST + DATABRICKS_TOKEN from env)
  • MITRE ATT&CK tagging via tag_cis_check() on all findings
  • Adds databricks_cis_benchmark_data field to AgentBOMReport and output serialization
  • 32 new tests covering all 12 checks, the report model, and run_benchmark()

Checks implemented

ID Section Check
1.1 IAM Admin count ≤ 3
1.2 IAM IP access lists enabled
1.3 IAM PAT expiry policy set
1.4 IAM Service principal token lifetime
2.1 Clusters Auto-termination enabled
2.2 Clusters No isolation-mode clusters running
2.3 Clusters Custom cluster policies defined
2.4 Clusters No public IPs
3.1 Data Unity Catalog metastore assigned
4.1 Audit Audit log delivery configured
5.1 Secrets Secret scopes in use
5.2 Secrets No plaintext credentials in cluster env vars

Test plan

  • pytest tests/test_databricks_cis_benchmark.py — 32/32 pass
  • ruff + ruff-format pre-commit hooks pass
  • CI on push

Closes #290

@msaad00
feat: Databricks Security Best Practices CIS benchmark (#290)
0deab3b 
Add 12 security checks across 5 sections (IAM, Clusters, Data, Audit,
Secrets) using the databricks-sdk. Includes CLI flag
--databricks-cis-benchmark, MITRE ATT&CK tagging, and 32 tests.
@msaad00 msaad00 requested a review from andres-linero as a code owner March 8, 2026 00:23
@github-actions
Copy link
Contributor

github-actions bot commented Mar 8, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@msaad00
Copy link
Owner Author

msaad00 commented Mar 8, 2026

Closing to rename: there is no CIS Benchmark for Databricks. Reframing as Databricks Security Best Practices checks.

@msaad00 msaad00 closed this Mar 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andres-linero andres-linero Awaiting requested review from andres-linero andres-linero is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Databricks CIS benchmark

1 participant

@msaad00