feat(org): add sec-check command to assess organization security posture (#3142)

add sec-check command to assess organization security posture (#3142)

Author: hkhrais

README.md

@@ -18,6 +18,7 @@
 - Seed your space with example data.
 - Manage installation of [extensions](https://github.com/contentful/extensions) in a space.
 - Securely login and logout with our [OAuth service](https://www.contentful.com/developers/docs/references/authentication/).
+- Run organization security & configuration checks (security contact, audit logging, access tokens, SSO, MFA) with `contentful organization sec-check`.
 - Find all available commands in the [docs section](https://github.com/contentful/contentful-cli/tree/main/docs).
 
 ## :cloud: Installation

docs/README.md

@@ -11,7 +11,7 @@ Commands:
   init          Get started with Contentful
   login         Login to Contentful
   logout        Logout from Contentful
-  organization  Manage and list your organizations
+  organization  Manage and list your organizations (includes security checks via `sec-check`)
   space         Manage and list your spaces
 
 Options:
@@ -29,5 +29,5 @@ Copyright Contentful 2019-Present
 - [init](./init) - Get an introduction to Contentful
 - [login](./login) - Start new CLI session
 - [logout](./logout) - End CLI session
-- [organization](./organization) - Organization related commands
+- [organization](./organization) - Organization related commands (security & configuration checks with `sec-check`)
 - [space](./space) - Space related commands

docs/organization/README.md

@@ -4,3 +4,4 @@
 
 - [list](./list) - List all Organizations you have access to
 - [export](./export) - Export a organization data to a json file
+- [sec-check](./sec-check) - Run organization security checks (audit-log, security contact, SSO, MFA)

docs/organization/sec-check/README.md

@@ -0,0 +1,107 @@
+# Contentful CLI - `sec-check` command
+
+This command runs a series of security checks on a Contentful Organization.
+
+| Check | Description |
+|-------|-------------|
+| `permission_check` | Validates user has sufficient privileges (owner/admin) to perform security checks  |
+| `security_contact_set` | Ensures ≥1 security contact is configured |
+| `audit_logging_configured` | Confirms audit logging is enabled |
+| `active_tokens_with_long_expiry` | Flags active access tokens whose expiration date is more than 1 year in the future |
+| `sso_enabled` | Validates SSO is enabled |
+| `sso_enforced` | Validates SSO restricted mode is on |
+| `sso_exempt_users` | Flags users exempt from SSO enforcement |
+| `sso_exempt_users_with_mfa_disabled` | Flags SSO-exempt users without MFA |
+
+
+## Usage
+```
+Usage: contentful organization sec-check --organization-id <organization-id>
+
+Options:
+  -h, --help                Show help                                  [boolean]
+  --organization-id, --oid  Contentful organization ID       [string] [required]
+  --management-token, --mt  Contentful management API token (overrides stored
+                            context token)                              [string]
+  --header, -H              Pass an additional HTTP Header              [string]
+  --output-file, -o         Write JSON results to a file. If used without a
+                            filename, a default file
+                            ./data/<timestamp>-<org-id>-sec-check.json is
+                            created.                                    [string]
+```
+
+## Prerequisites
+- A Contentful Management API token with org admin/owner permissions to read organization settings.
+
+
+## Example
+
+```
+contentful organization sec-check --organization-id 123456789 -o
+```
+
+![img.png](img.png)
+
+
+Outputs JSON with fields:
+```
+{
+  "permission_check": {
+    "description": "User has owner or admin role in the organization",
+    "pass": true
+  },
+  "security_contact_set": {
+    "description": "Security contact is configured for the organization",
+    "pass": true,
+    "data": {
+      "contactCount": 1
+    }
+  },
+  "audit_logging_configured": {
+    "description": "Audit logging is configured for the organization",
+    "pass": true,
+    "data": {
+      "itemCount": 1
+    }
+  },
+  "active_tokens_with_long_expiry": {
+    "description": "Active (not revoked) access tokens whose expiration date is more than 1 year in the future.",
+    "pass": false,
+    "data": {
+      "offendingCount": 6
+    }
+  },
+  "sso_enabled": {
+    "description": "SSO is enabled for the organization",
+    "pass": true
+  },
+  "sso_enforced": {
+    "description": "SSO is enforced (restricted) for the organization",
+    "pass": true
+  },
+  "sso_exempt_users": {
+    "description": "Check if users are exempted from SSO restricted mode (bypass SSO).",
+    "pass": false,
+    "data": {
+      "exemptUserIds": [
+        "2qEuWkv9GLQ8ypPK96xjZk"
+      ],
+      "exemptCount": 1
+    }
+  },
+  "sso_exempt_users_with_mfa_disabled": {
+    "description": "Exempt users have MFA (2FA) enabled (reports users without MFA).",
+    "pass": false,
+    "data": {
+      "mfaDisabledUsers": [
+        {
+          "id": "2qEuWkv9GLQ8ypPK96xjZk",
+          "email": "hussam.khrais+test@foo.com"
+        }
+      ],
+      "mfaDisabledCount": 1
+    }
+  }
+}
+```
+A check with pass:false indicates action required.