feat: add unified code quality dashboard with multiple validators

- Add validator_type field to scans and violations (architecture, security, performance) - Create security validator with SEC-xxx rules - Create performance validator with PERF-xxx rules - Add base validator class for shared functionality - Add validate_all.py script to run all validators - Update code quality service with validator type filtering - Add validator type tabs to dashboard UI - Add validator type filter to violations list - Update stats response with per-validator breakdown - Add security and performance rules documentation - Add chat-bubble icons to icon library 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 20:57:47 +01:00
parent 6a903e16c6
commit 26b3dc9e3b
27 changed files with 5270 additions and 119 deletions
--- a/.security-rules/audit.yaml
+++ b/.security-rules/audit.yaml
@@ -0,0 +1,131 @@
+# Audit & Logging Rules
+# =====================
+
+audit_rules:
+  - id: "SEC-051"
+    name: "Authentication event logging"
+    severity: warning
+    description: |
+      Log authentication events:
+      - Successful logins (with user ID, IP)
+      - Failed login attempts (with IP, reason)
+      - Logouts
+      - Password changes
+      - Password reset requests
+    file_pattern: "**/auth*.py|**/login*.py"
+    required_patterns:
+      - "log"
+    suggested_patterns:
+      - 'logger\.(info|warning).*login|auth|password'
+
+  - id: "SEC-052"
+    name: "Admin action audit trail"
+    severity: warning
+    description: |
+      All admin operations should be logged with:
+      - Admin user ID
+      - Action performed
+      - Target resource
+      - Timestamp
+      - IP address
+    file_pattern: "**/admin/**/*.py"
+    required_patterns:
+      - "log"
+    suggested_patterns:
+      - "logger|audit"
+
+  - id: "SEC-053"
+    name: "Data modification logging"
+    severity: info
+    description: |
+      Log create/update/delete on sensitive data:
+      - User accounts
+      - Roles and permissions
+      - Financial transactions
+      - Configuration changes
+    file_pattern: "**/service*.py"
+
+  - id: "SEC-054"
+    name: "Security event logging"
+    severity: warning
+    description: |
+      Log security-relevant events:
+      - Authorization failures
+      - Input validation failures
+      - Rate limit triggers
+      - Suspicious activity patterns
+    file_pattern: "**/*.py"
+    context_patterns:
+      - "unauthorized|forbidden|rate_limit|suspicious"
+    suggested_patterns:
+      - "logger\\.warning|logger\\.error"
+
+  - id: "SEC-055"
+    name: "Log injection prevention"
+    severity: warning
+    description: |
+      Sanitize user input before logging.
+      Newlines and control characters can corrupt logs.
+    file_pattern: "**/*.py"
+    anti_patterns:
+      - 'logger\.[a-z]+\(.*request\..*\)'
+    suggested_patterns:
+      - "sanitize|escape|repr\\("
+    example_bad: |
+      logger.info(f"User search: {request.query}")
+    example_good: |
+      logger.info(f"User search: {request.query!r}")  # repr escapes
+
+  - id: "SEC-056"
+    name: "Centralized logging"
+    severity: info
+    description: |
+      Use centralized logging for:
+      - Correlation across services
+      - Tamper-evident storage
+      - Retention management
+      - Alerting capabilities
+
+  - id: "SEC-057"
+    name: "Log level appropriateness"
+    severity: info
+    description: |
+      Use appropriate log levels:
+      - ERROR: Security failures requiring attention
+      - WARNING: Suspicious activity, failed auth
+      - INFO: Successful security events
+      - DEBUG: Never log sensitive data even at debug
+
+  - id: "SEC-058"
+    name: "Structured logging format"
+    severity: info
+    description: |
+      Use structured logging (JSON) for:
+      - Easy parsing
+      - Consistent fields
+      - Searchability
+    suggested_patterns:
+      - "structlog|json_formatter|extra={"
+
+  - id: "SEC-059"
+    name: "Audit log integrity"
+    severity: info
+    description: |
+      Protect audit logs from tampering:
+      - Append-only storage
+      - Cryptographic chaining
+      - Separate access controls
+
+  - id: "SEC-060"
+    name: "Privacy-aware logging"
+    severity: warning
+    description: |
+      Comply with data protection regulations:
+      - No PII in logs without consent
+      - Log retention limits
+      - Right to deletion support
+    file_pattern: "**/*.py"
+    anti_patterns:
+      - 'log.*email(?!.*@.*sanitized)'
+      - 'log.*phone'
+      - 'log.*address(?!.*ip)'