Skip to content

feat: Databricks Security Best Practices checks#324

Merged
andres-linero merged 2 commits intomainfrom
feat/databricks-cis-benchmark
Mar 8, 2026
Merged

feat: Databricks Security Best Practices checks#324
andres-linero merged 2 commits intomainfrom
feat/databricks-cis-benchmark

Conversation

@msaad00
Copy link
Owner

@msaad00 msaad00 commented Mar 8, 2026

Summary

Databricks does not have an official CIS Benchmark. These are security best practice checks based on Databricks' own published hardening guidance.

  • src/agent_bom/cloud/databricks_security.py — 12 checks, DatabricksSecurityReport, run_security_checks()
  • CLI flag: --databricks-security (reads DATABRICKS_HOST + DATABRICKS_TOKEN from env)
  • MITRE ATT&CK tagging via tag_cis_check() on all findings
  • 32 tests, all passing

Checks implemented

ID Section Check
1.1 IAM Admin count ≤ 3
1.2 IAM IP access lists enabled
1.3 IAM PAT expiry policy set
1.4 IAM Service principal token lifetime
2.1 Clusters Auto-termination enabled
2.2 Clusters No isolation-mode clusters running
2.3 Clusters Custom cluster policies defined
2.4 Clusters No public IPs
3.1 Data Unity Catalog metastore assigned
4.1 Audit Audit log delivery configured
5.1 Secrets Secret scopes in use
5.2 Secrets No plaintext credentials in cluster env vars

Test plan

  • pytest tests/test_databricks_security.py — 32/32 pass
  • ruff + ruff-format hooks pass

Closes #290

msaad00 added 2 commits March 7, 2026 19:23
@msaad00
feat: Databricks Security Best Practices CIS benchmark (#290)
0deab3b 
Add 12 security checks across 5 sections (IAM, Clusters, Data, Audit,
Secrets) using the databricks-sdk. Includes CLI flag
--databricks-cis-benchmark, MITRE ATT&CK tagging, and 32 tests.
@msaad00
feat: Databricks Security Best Practices checks (not CIS)
db8fdc4 
Databricks has no official CIS Benchmark. Rename everything from
databricks_cis_benchmark → databricks_security and DatabricksCISReport →
DatabricksSecurityReport. CLI flag is now --databricks-security.
Docstring clarified: checks are based on Databricks' own published
security hardening guidance.
@msaad00 msaad00 requested a review from andres-linero as a code owner March 8, 2026 00:26
@github-actions
Copy link
Contributor

github-actions bot commented Mar 8, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@andres-linero andres-linero merged commit ef56fea into main Mar 8, 2026
18 checks passed
@andres-linero andres-linero deleted the feat/databricks-cis-benchmark branch March 8, 2026 00:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andres-linero andres-linero andres-linero approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Databricks CIS benchmark

2 participants

@msaad00 @andres-linero