sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add audit validation rules and script

Browse Source 
Import audit rules from scaffold project covering:
- Access control validation
- Audit trail requirements
- Change management policies
- Compliance checks
- Data governance rules
- Documentation requirements
- Third-party dependency checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2025-12-28 09:21:03 +01:00
parent ff2f475ae4
commit 92434c8971
10 changed files with 2055 additions and 437 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
.audit-rules/_main.yaml Normal file
View File

@@ -0,0 +1,59 @@
# IT Internal Audit Rules
# ========================
# These rules ensure compliance with internal governance policies,
# regulatory requirements, and audit best practices.
#
# Purpose: Independent verification of controls for:
# - SOX compliance (financial systems)
# - GDPR/CCPA compliance (data privacy)
# - Internal governance policies
# - Risk management frameworks
version: "1.0"
name: "IT Internal Audit Rules"
# Rule categories and their weights for scoring
categories:
audit_trail:
weight: 25
description: "Logging, traceability, and audit log integrity"
access_control:
weight: 20
description: "Authentication, authorization, and least privilege"
data_governance:
weight: 20
description: "PII handling, data classification, and retention"
compliance:
weight: 15
description: "Regulatory and policy compliance"
change_management:
weight: 10
description: "Version control, approvals, and rollback"
third_party:
weight: 5
description: "Dependency management and license compliance"
documentation:
weight: 5
description: "Required documentation and traceability"
# Minimum passing score (percentage)
minimum_score: 80
# Files/directories to exclude from audit
excluded_paths:
- ".venv/"
- "__pycache__/"
- ".git/"
- "node_modules/"
- ".pytest_cache/"
- "htmlcov/"
- "site/"
- ".mypy_cache/"
# Severity levels
severity_levels:
critical: "Must be fixed immediately - audit finding"
high: "Must be fixed before next audit cycle"
medium: "Should be addressed in remediation plan"
low: "Recommendation for improvement"
info: "Informational observation"

171
.audit-rules/access_control.yaml Normal file
View File

@@ -0,0 +1,171 @@
# Access Control Rules
# ====================
# Ensures proper authentication, authorization, and least privilege.
# Critical for preventing unauthorized access.
rules:
# ===================
# AUTHENTICATION
# ===================
- id: ACCESS-AUTH-001
name: "Protected endpoints must require authentication"
description: "API endpoints handling sensitive data must enforce authentication"
severity: critical
check:
type: pattern_required
paths:
- "app/api/v1/*.py"
patterns:
- "CurrentUser|Depends.*get_current_user|AdminUser"
exclude_patterns:
- "health.py"
- "auth.py" # Auth endpoints handle their own logic
message: "API endpoints must require authentication"
- id: ACCESS-AUTH-002
name: "Admin endpoints must verify admin role"
description: "Administrative functions must check for admin privileges"
severity: critical
check:
type: pattern_required
paths:
- "app/routes/admin.py"
patterns:
- "is_admin|AdminUser|require_admin|admin_required"
message: "Admin routes must verify admin privileges"
- id: ACCESS-AUTH-003
name: "Session management must be secure"
description: "Sessions must have proper timeout and security settings"
severity: high
check:
type: pattern_required
paths:
- "app/core/config.py"
- "app/core/security.py"
patterns:
- "ACCESS_TOKEN_EXPIRE|SESSION_TIMEOUT|token.*expire"
message: "Session/token expiration must be configured"
# ===================
# AUTHORIZATION (RBAC)
# ===================
- id: ACCESS-RBAC-001
name: "Role-based access control implementation"
description: "System must implement role-based access control"
severity: high
check:
type: pattern_required
paths:
- "models/database/user.py"
patterns:
- "is_admin|role|permission"
message: "User model must support role-based access"
- id: ACCESS-RBAC-002
name: "Authorization checks before data access"
description: "Data access must verify user permissions"
severity: high
check:
type: pattern_recommended
paths:
- "app/api/v1/*.py"
patterns:
- "user\\.id|current_user|owner|created_by"
message: "Consider ownership checks for data access"
- id: ACCESS-RBAC-003
name: "Separation of duties"
description: "Critical operations should require different roles"
severity: medium
check:
type: documentation
message: "Document separation of duties in critical workflows"
# ===================
# LEAST PRIVILEGE
# ===================
- id: ACCESS-PRIV-001
name: "Database connections use least privilege"
description: "Database user should have minimal required permissions"
severity: high
check:
type: documentation
paths:
- "docs/**/*.md"
- "README.md"
patterns:
- "database.*permission|db.*role|least.*privilege"
message: "Document database user permissions"
- id: ACCESS-PRIV-002
name: "API endpoints return minimal data"
description: "Responses should not include unnecessary sensitive fields"
severity: medium
check:
type: pattern_forbidden
paths:
- "models/schema/*.py"
patterns:
- "password_hash|password.*Field"
exclude_patterns:
- "password.*exclude.*True"
message: "Password hashes must not be included in API responses"
- id: ACCESS-PRIV-003
name: "Environment-specific access"
description: "Debug/admin features disabled in production"
severity: high
check:
type: pattern_required
paths:
- "main.py"
- "app/core/environment.py"
patterns:
- "is_production|ENVIRONMENT|DEBUG"
message: "Environment-based feature flags required"
# ===================
# ACCOUNT SECURITY
# ===================
- id: ACCESS-ACCT-001
name: "Account lockout mechanism"
description: "Failed login attempts should trigger account lockout"
severity: high
check:
type: pattern_recommended
paths:
- "app/api/v1/auth.py"
- "app/services/user_service.py"
patterns:
- "failed.*attempt|lockout|rate.*limit|throttle"
message: "Consider implementing account lockout after failed attempts"
- id: ACCESS-ACCT-002
name: "Password complexity requirements"
description: "Passwords must meet minimum complexity requirements"
severity: high
check:
type: pattern_required
paths:
- "models/schema/auth.py"
- "models/schema/user.py"
patterns:
- "min_length|MinLen|Field.*ge.*8"
message: "Password minimum length must be enforced"
- id: ACCESS-ACCT-003
name: "Secure password storage"
description: "Passwords must be hashed with strong algorithm"
severity: critical
check:
type: pattern_required
paths:
- "app/core/security.py"
patterns:
- "bcrypt|argon2|scrypt|pbkdf2"
message: "Passwords must use approved hashing algorithms"

170
.audit-rules/audit_trail.yaml Normal file
View File

@@ -0,0 +1,170 @@
# Audit Trail Rules
# ==================
# Ensures all sensitive operations are logged and traceable.
# Critical for SOX compliance and incident investigation.
rules:
# ===================
# LOGGING REQUIREMENTS
# ===================
- id: AUDIT-LOG-001
name: "Authentication events must be logged"
description: "All login, logout, and failed authentication attempts must be logged"
severity: critical
check:
type: pattern_required
paths:
- "app/api/v1/auth.py"
- "app/routes/admin.py"
patterns:
- "logger\\.(info|warning|error).*login"
- "logger\\.(info|warning|error).*auth"
message: "Authentication endpoints must log all attempts"
- id: AUDIT-LOG-002
name: "Data modification must be logged"
description: "Create, update, delete operations must include audit logging"
severity: critical
check:
type: pattern_required
paths:
- "app/services/*.py"
patterns:
- "logger\\."
exclude_patterns:
- "__init__.py"
message: "Service layer must include logging for data modifications"
- id: AUDIT-LOG-003
name: "Admin actions must be logged"
description: "All administrative actions require audit logging"
severity: critical
check:
type: pattern_required
paths:
- "app/routes/admin.py"
patterns:
- "logger\\."
message: "Admin routes must log all actions"
- id: AUDIT-LOG-004
name: "Log must include user identity"
description: "Audit logs must include the user ID performing the action"
severity: high
check:
type: pattern_recommended
paths:
- "app/**/*.py"
patterns:
- "user_id|current_user|admin_user"
context: "logging"
message: "Logs should include user identity for traceability"
# ===================
# AUDIT FIELDS
# ===================
- id: AUDIT-FIELD-001
name: "Models must have audit timestamps"
description: "Database models must include created_at and updated_at fields"
severity: high
check:
type: pattern_required
paths:
- "models/database/*.py"
patterns:
- "created_at"
- "updated_at"
exclude_patterns:
- "__init__.py"
- "base.py"
- "audit_log.py" # Uses timestamp field instead
message: "Database models must include audit timestamp fields"
- id: AUDIT-FIELD-002
name: "Models should track who made changes"
description: "Models should include created_by and updated_by fields"
severity: medium
check:
type: pattern_recommended
paths:
- "models/database/*.py"
patterns:
- "created_by|updated_by|modified_by"
message: "Consider adding created_by/updated_by fields for accountability"
# ===================
# LOG INTEGRITY
# ===================
- id: AUDIT-INT-001
name: "Logs must not be modifiable by application"
description: "Application should not have delete/modify access to audit logs"
severity: high
check:
type: pattern_forbidden
paths:
- "app/**/*.py"
patterns:
- "os\\.remove.*\\.log"
- "truncate.*log"
- "open.*\\.log.*[\"']w[\"']"
message: "Application must not modify or delete log files"
- id: AUDIT-INT-002
name: "Structured logging required"
description: "Use structured logging for machine-parseable audit trails"
severity: medium
check:
type: pattern_recommended
paths:
- "app/core/logging.py"
patterns:
- "structlog|json|JSONFormatter"
message: "Consider structured logging for better audit trail analysis"
# ===================
# SENSITIVE OPERATIONS
# ===================
- id: AUDIT-SENS-001
name: "Password changes must be logged"
description: "All password change operations require audit logging"
severity: critical
check:
type: pattern_required
paths:
- "app/services/user_service.py"
- "app/api/v1/users.py"
patterns:
- "password"
context: "must have corresponding logger call"
message: "Password operations must be logged"
- id: AUDIT-SENS-002
name: "Permission changes must be logged"
description: "Role and permission changes require audit logging"
severity: critical
check:
type: pattern_required
paths:
- "app/services/*.py"
patterns:
- "is_admin|role|permission"
context: "must have corresponding logger call"
message: "Permission changes must be logged"
- id: AUDIT-SENS-003
name: "Data exports must be logged"
description: "Any data export functionality must be logged"
severity: high
check:
type: pattern_check
paths:
- "app/**/*.py"
patterns:
- "export|download|csv|xlsx"
requires:
- "logger\\."
message: "Data export operations must be logged"

226
.audit-rules/change_management.yaml Normal file
View File

@@ -0,0 +1,226 @@
# Change Management Rules
# =======================
# Ensures proper version control, approval workflows, and rollback capability.
# Critical for maintaining system stability and audit trail.
rules:
# ===================
# VERSION CONTROL
# ===================
- id: CHANGE-VC-001
name: "Git repository required"
description: "All code must be in version control"
severity: critical
check:
type: file_exists
paths:
- ".git"
message: "Git repository required"
- id: CHANGE-VC-002
name: "Gitignore configured"
description: "Sensitive files must be excluded from version control"
severity: high
check:
type: file_exists
paths:
- ".gitignore"
message: ".gitignore file required"
- id: CHANGE-VC-003
name: "Secrets excluded from VCS"
description: "Secret files must be in .gitignore"
severity: critical
check:
type: pattern_required
paths:
- ".gitignore"
patterns:
- "\\.env"
- "\\*\\.pem"
- "\\*\\.key"
- "secrets"
message: "Secret files must be excluded from version control"
# ===================
# CODE REVIEW
# ===================
- id: CHANGE-REV-001
name: "Pull request template"
description: "PR template ensures consistent review information"
severity: medium
check:
type: file_exists
paths:
- ".github/PULL_REQUEST_TEMPLATE.md"
message: "Pull request template recommended"
- id: CHANGE-REV-002
name: "Branch protection documentation"
description: "Main branch should require reviews"
severity: high
check:
type: documentation
message: "Document branch protection rules"
- id: CHANGE-REV-003
name: "Code owners defined"
description: "Critical paths should have designated owners"
severity: medium
check:
type: file_exists
paths:
- ".github/CODEOWNERS"
- "CODEOWNERS"
message: "Consider defining code owners for critical paths"
# ===================
# CI/CD PIPELINE
# ===================
- id: CHANGE-CI-001
name: "Automated testing in CI"
description: "Tests must run automatically on changes"
severity: high
check:
type: file_exists
paths:
- ".github/workflows/ci.yml"
- ".github/workflows/test.yml"
message: "CI workflow for automated testing required"
- id: CHANGE-CI-002
name: "Security scanning in CI"
description: "Security scans should run in CI pipeline"
severity: high
check:
type: pattern_recommended
paths:
- ".github/workflows/*.yml"
patterns:
- "security|bandit|safety|snyk|trivy"
message: "Consider security scanning in CI pipeline"
- id: CHANGE-CI-003
name: "Linting and code quality"
description: "Code quality checks should run in CI"
severity: medium
check:
type: pattern_required
paths:
- ".github/workflows/*.yml"
patterns:
- "ruff|flake8|pylint|mypy|lint"
message: "Code quality checks required in CI"
# ===================
# DEPLOYMENT
# ===================
- id: CHANGE-DEP-001
name: "Environment separation"
description: "Development, staging, and production must be separate"
severity: high
check:
type: pattern_required
paths:
- "app/core/config.py"
- "app/core/environment.py"
patterns:
- "ENVIRONMENT|development|staging|production"
message: "Environment separation required"
- id: CHANGE-DEP-002
name: "Deployment automation"
description: "Deployments should be automated and repeatable"
severity: medium
check:
type: file_exists
paths:
- ".github/workflows/release.yml"
- ".github/workflows/deploy.yml"
- "Dockerfile"
message: "Automated deployment process recommended"
- id: CHANGE-DEP-003
name: "Infrastructure as code"
description: "Infrastructure should be version controlled"
severity: medium
check:
type: file_exists
paths:
- "docker-compose.yml"
- "Dockerfile"
- "terraform/"
- "kubernetes/"
message: "Infrastructure as code recommended"
# ===================
# ROLLBACK CAPABILITY
# ===================
- id: CHANGE-ROLL-001
name: "Database migration versioning"
description: "Database changes must be versioned and reversible"
severity: high
check:
type: file_exists
paths:
- "alembic/"
- "alembic.ini"
message: "Database migration tool required"
- id: CHANGE-ROLL-002
name: "Migration downgrade support"
description: "Database migrations should support rollback"
severity: medium
check:
type: pattern_required
paths:
- "alembic/versions/*.py"
patterns:
- "def downgrade"
message: "Migration downgrade functions required"
- id: CHANGE-ROLL-003
name: "Container versioning"
description: "Container images should be versioned"
severity: medium
check:
type: pattern_recommended
paths:
- "Dockerfile"
- ".github/workflows/*.yml"
patterns:
- "tag|version|:v"
message: "Container image versioning recommended"
# ===================
# CHANGE DOCUMENTATION
# ===================
- id: CHANGE-DOC-001
name: "Changelog maintained"
description: "Changes should be documented in changelog"
severity: medium
check:
type: file_exists
paths:
- "CHANGELOG.md"
- "CHANGES.md"
- "HISTORY.md"
message: "Consider maintaining a changelog"
- id: CHANGE-DOC-002
name: "Release documentation"
description: "Releases should be documented"
severity: low
check:
type: pattern_recommended
paths:
- ".github/workflows/release.yml"
patterns:
- "release|changelog|notes"
message: "Consider automated release notes"

191
.audit-rules/compliance.yaml Normal file
View File

@@ -0,0 +1,191 @@
# Compliance Rules
# =================
# Ensures adherence to regulatory and internal policy requirements.
# Covers SOX, GDPR, CCPA, and internal governance policies.
rules:
# ===================
# REGULATORY COMPLIANCE
# ===================
- id: COMP-REG-001
name: "Error messages must not expose internals"
description: "Error responses must not reveal system internals (SOX, security)"
severity: high
check:
type: pattern_forbidden
paths:
- "app/exceptions/*.py"
patterns:
- "traceback|stack.*trace|sys\\.exc_info"
exclude_patterns:
- "if.*debug|if.*development"
message: "Production errors must not expose stack traces"
- id: COMP-REG-002
name: "HTTPS enforcement"
description: "All communications must use HTTPS in production"
severity: critical
check:
type: pattern_required
paths:
- "app/core/config.py"
- "main.py"
patterns:
- "https|SSL|TLS|SECURE"
message: "HTTPS configuration required"
- id: COMP-REG-003
name: "Security headers"
description: "Security headers must be configured"
severity: high
check:
type: pattern_recommended
paths:
- "main.py"
- "middleware/*.py"
patterns:
- "X-Frame-Options|X-Content-Type|Strict-Transport|CSP|Content-Security-Policy"
message: "Consider security headers middleware"
# ===================
# CONSENT MANAGEMENT
# ===================
- id: COMP-CONS-001
name: "Terms acceptance tracking"
description: "User acceptance of terms must be recorded"
severity: medium
check:
type: pattern_recommended
paths:
- "models/database/user.py"
patterns:
- "terms_accepted|consent|accepted_at"
message: "Consider tracking terms/consent acceptance"
- id: COMP-CONS-002
name: "Cookie consent"
description: "Cookie usage must comply with consent requirements"
severity: medium
check:
type: documentation
message: "Document cookie consent mechanism"
# ===================
# FINANCIAL CONTROLS (SOX)
# ===================
- id: COMP-SOX-001
name: "Financial transaction logging"
description: "Financial transactions must have complete audit trail"
severity: critical
check:
type: pattern_check
paths:
- "app/**/*.py"
patterns:
- "payment|transaction|invoice|billing"
requires:
- "logger\\."
message: "Financial operations require audit logging"
- id: COMP-SOX-002
name: "Dual approval for critical operations"
description: "Critical financial operations should require dual approval"
severity: medium
check:
type: documentation
message: "Document approval workflow for critical operations"
- id: COMP-SOX-003
name: "Immutable transaction records"
description: "Financial records must not be modifiable"
severity: high
check:
type: pattern_forbidden
paths:
- "app/**/*.py"
patterns:
- "update.*transaction|delete.*payment|modify.*invoice"
message: "Financial records should be immutable"
# ===================
# INTERNAL POLICIES
# ===================
- id: COMP-POL-001
name: "Code review requirement"
description: "Code changes must go through review process"
severity: high
check:
type: file_exists
paths:
- ".github/PULL_REQUEST_TEMPLATE.md"
- "CONTRIBUTING.md"
- ".github/workflows/*.yml"
message: "Code review process must be documented/enforced"
- id: COMP-POL-002
name: "Change approval documentation"
description: "Changes must have documented approval"
severity: medium
check:
type: file_exists
paths:
- ".github/CODEOWNERS"
- ".github/workflows/*.yml"
message: "Document change approval requirements"
- id: COMP-POL-003
name: "Incident response documentation"
description: "Incident response procedures must be documented"
severity: medium
check:
type: file_exists
paths:
- "docs/**/incident*.md"
- "docs/**/security*.md"
- "SECURITY.md"
message: "Document incident response procedures"
# ===================
# EVIDENCE COLLECTION
# ===================
- id: COMP-EVID-001
name: "Automated testing evidence"
description: "Test results must be captured for audit evidence"
severity: medium
check:
type: file_exists
paths:
- ".github/workflows/ci.yml"
- "pytest.ini"
- "pyproject.toml"
patterns:
- "pytest|test|coverage"
message: "Automated testing must be configured"
- id: COMP-EVID-002
name: "Deployment audit trail"
description: "Deployments must be logged and traceable"
severity: high
check:
type: file_exists
paths:
- ".github/workflows/*.yml"
patterns:
- "deploy|release"
message: "Deployment process must be automated and logged"
- id: COMP-EVID-003
name: "Version control usage"
description: "All code must be version controlled"
severity: critical
check:
type: file_exists
paths:
- ".git"
- ".gitignore"
message: "Version control is required"

201
.audit-rules/data_governance.yaml Normal file
View File

@@ -0,0 +1,201 @@
# Data Governance Rules
# =====================
# Ensures proper handling of PII, data classification, and retention.
# Critical for GDPR, CCPA, and data privacy compliance.
rules:
# ===================
# PII IDENTIFICATION
# ===================
- id: DATA-PII-001
name: "PII fields must be identified"
description: "Personal Identifiable Information fields must be marked/documented"
severity: high
check:
type: pattern_recommended
paths:
- "models/database/*.py"
patterns:
- "# PII|pii.*=.*True|sensitive.*=.*True"
message: "Consider marking PII fields with comments or metadata"
- id: DATA-PII-002
name: "Email addresses are PII"
description: "Email fields must be treated as PII"
severity: medium
check:
type: documentation
message: "Document email as PII in data classification"
- id: DATA-PII-003
name: "PII must not be logged"
description: "Sensitive data must not appear in logs"
severity: critical
check:
type: pattern_forbidden
paths:
- "app/**/*.py"
- "middleware/**/*.py"
patterns:
- "logger.*password|log.*password"
- "logger.*credit.*card|log.*ssn"
- "print\\(.*password"
message: "PII/sensitive data must not be logged"
# ===================
# DATA CLASSIFICATION
# ===================
- id: DATA-CLASS-001
name: "Data classification scheme"
description: "System must have documented data classification"
severity: medium
check:
type: file_exists
paths:
- "docs/**/data-classification.md"
- "docs/**/data-governance.md"
- "docs/**/security*.md"
message: "Document data classification scheme"
- id: DATA-CLASS-002
name: "Sensitive data encryption at rest"
description: "Highly sensitive data should be encrypted in database"
severity: medium
check:
type: pattern_recommended
paths:
- "models/database/*.py"
patterns:
- "encrypt|EncryptedType|Fernet"
message: "Consider encryption for highly sensitive fields"
- id: DATA-CLASS-003
name: "Data masking in non-production"
description: "PII should be masked in development/test environments"
severity: medium
check:
type: documentation
message: "Document data masking procedures for non-production"
# ===================
# DATA RETENTION
# ===================
- id: DATA-RET-001
name: "Soft delete for audit trail"
description: "Records should use soft delete to maintain audit trail"
severity: medium
check:
type: pattern_recommended
paths:
- "models/database/*.py"
patterns:
- "deleted_at|is_deleted|soft_delete"
message: "Consider soft delete for audit trail preservation"
- id: DATA-RET-002
name: "Data retention policy"
description: "System must have documented data retention policy"
severity: high
check:
type: file_exists
paths:
- "docs/**/retention*.md"
- "docs/**/data*.md"
message: "Document data retention policy"
- id: DATA-RET-003
name: "Automated data cleanup"
description: "Old data should be automatically purged per retention policy"
severity: low
check:
type: pattern_recommended
paths:
- "app/tasks/*.py"
- "scripts/*.py"
patterns:
- "cleanup|purge|archive|retention"
message: "Consider automated data retention enforcement"
# ===================
# DATA PRIVACY RIGHTS
# ===================
- id: DATA-PRIV-001
name: "Right to access (GDPR Art. 15)"
description: "Users must be able to access their personal data"
severity: high
check:
type: pattern_required
paths:
- "app/api/v1/users.py"
patterns:
- "/me|/current|get_current_user"
message: "Endpoint for users to access their data required"
- id: DATA-PRIV-002
name: "Right to erasure (GDPR Art. 17)"
description: "System must support user data deletion requests"
severity: high
check:
type: pattern_recommended
paths:
- "app/api/v1/users.py"
- "app/services/user_service.py"
patterns:
- "delete|remove|erase|anonymize"
message: "Support for user data deletion required"
- id: DATA-PRIV-003
name: "Right to portability (GDPR Art. 20)"
description: "Users should be able to export their data"
severity: medium
check:
type: pattern_recommended
paths:
- "app/api/v1/*.py"
patterns:
- "export|download|portable"
message: "Consider data export functionality for portability"
# ===================
# DATA INTEGRITY
# ===================
- id: DATA-INT-001
name: "Input validation"
description: "All input data must be validated"
severity: high
check:
type: pattern_required
paths:
- "models/schema/*.py"
patterns:
- "Field|validator|field_validator"
message: "Pydantic validation required for data integrity"
- id: DATA-INT-002
name: "Database constraints"
description: "Database should enforce data integrity constraints"
severity: medium
check:
type: pattern_required
paths:
- "models/database/*.py"
patterns:
- "nullable|unique|ForeignKey|CheckConstraint"
message: "Database constraints should enforce data integrity"
- id: DATA-INT-003
name: "Referential integrity"
description: "Foreign key relationships must be properly defined"
severity: medium
check:
type: pattern_required
paths:
- "models/database/*.py"
patterns:
- "ForeignKey|relationship"
message: "Define foreign key relationships for referential integrity"

230
.audit-rules/documentation.yaml Normal file
View File

@@ -0,0 +1,230 @@
# Documentation Rules
# ====================
# Ensures required documentation for audit trail and compliance.
# Critical for demonstrating controls and due diligence.
rules:
# ===================
# PROJECT DOCUMENTATION
# ===================
- id: DOC-PROJ-001
name: "README file required"
description: "Project must have a README with basic information"
severity: high
check:
type: file_exists
paths:
- "README.md"
- "README.rst"
- "README.txt"
message: "Project README required"
- id: DOC-PROJ-002
name: "Setup instructions"
description: "README must include setup/installation instructions"
severity: medium
check:
type: pattern_required
paths:
- "README.md"
patterns:
- "[Ii]nstall|[Ss]etup|[Gg]etting [Ss]tarted"
message: "Setup instructions required in README"
- id: DOC-PROJ-003
name: "Contributing guidelines"
description: "Project should have contribution guidelines"
severity: low
check:
type: file_exists
paths:
- "CONTRIBUTING.md"
- "docs/guides/contributing.md"
message: "Consider adding contribution guidelines"
# ===================
# API DOCUMENTATION
# ===================
- id: DOC-API-001
name: "OpenAPI documentation"
description: "API must have OpenAPI/Swagger documentation"
severity: high
check:
type: pattern_required
paths:
- "main.py"
patterns:
- "openapi|docs_url|redoc"
message: "OpenAPI documentation required for APIs"
- id: DOC-API-002
name: "Endpoint documentation"
description: "API endpoints must have docstrings"
severity: medium
check:
type: pattern_required
paths:
- "app/api/v1/*.py"
patterns:
- '""".*"""'
message: "API endpoints should have docstrings"
- id: DOC-API-003
name: "API versioning documented"
description: "API versioning strategy must be documented"
severity: medium
check:
type: file_exists
paths:
- "docs/api/*.md"
message: "API documentation required"
# ===================
# SECURITY DOCUMENTATION
# ===================
- id: DOC-SEC-001
name: "Security policy"
description: "Project must have security policy"
severity: high
check:
type: file_exists
paths:
- "SECURITY.md"
- ".github/SECURITY.md"
message: "Security policy (SECURITY.md) required"
- id: DOC-SEC-002
name: "Authentication documentation"
description: "Authentication mechanism must be documented"
severity: high
check:
type: file_exists
paths:
- "docs/api/authentication.md"
- "docs/**/auth*.md"
message: "Authentication documentation required"
- id: DOC-SEC-003
name: "Security controls documentation"
description: "Security controls must be documented"
severity: medium
check:
type: pattern_required
paths:
- "docs/**/*.md"
patterns:
- "[Ss]ecurity|[Aa]uthentication|[Aa]uthorization"
message: "Security controls should be documented"
# ===================
# OPERATIONAL DOCUMENTATION
# ===================
- id: DOC-OPS-001
name: "Deployment documentation"
description: "Deployment process must be documented"
severity: high
check:
type: file_exists
paths:
- "docs/guides/deployment.md"
- "docs/**/deploy*.md"
message: "Deployment documentation required"
- id: DOC-OPS-002
name: "Configuration documentation"
description: "Configuration options must be documented"
severity: medium
check:
type: file_exists
paths:
- "docs/getting-started/configuration.md"
- ".env.example"
message: "Configuration documentation required"
- id: DOC-OPS-003
name: "Monitoring documentation"
description: "Monitoring and alerting should be documented"
severity: low
check:
type: file_exists
paths:
- "docs/**/monitoring*.md"
- "docs/**/observability*.md"
message: "Consider documenting monitoring setup"
# ===================
# COMPLIANCE DOCUMENTATION
# ===================
- id: DOC-COMP-001
name: "Data handling documentation"
description: "Data handling practices must be documented"
severity: high
check:
type: file_exists
paths:
- "docs/**/data*.md"
- "docs/**/privacy*.md"
message: "Data handling documentation recommended"
- id: DOC-COMP-002
name: "Audit controls documentation"
description: "Audit controls must be documented"
severity: medium
check:
type: pattern_required
paths:
- "docs/**/*.md"
patterns:
- "[Aa]udit|[Ll]ogging|[Tt]raceability"
message: "Audit controls should be documented"
- id: DOC-COMP-003
name: "Compliance requirements documented"
description: "Applicable compliance requirements must be listed"
severity: medium
check:
type: documentation
message: "Document applicable compliance requirements (GDPR, SOX, etc.)"
# ===================
# ARCHITECTURE DOCUMENTATION
# ===================
- id: DOC-ARCH-001
name: "Architecture overview"
description: "System architecture must be documented"
severity: medium
check:
type: file_exists
paths:
- "docs/architecture/*.md"
message: "Architecture documentation required"
- id: DOC-ARCH-002
name: "Component diagram"
description: "System should have component/architecture diagram"
severity: low
check:
type: pattern_recommended
paths:
- "docs/**/*.md"
- "README.md"
patterns:
- "mermaid|diagram|architecture.*png|architecture.*svg"
message: "Consider adding architecture diagrams"
- id: DOC-ARCH-003
name: "Decision records"
description: "Major decisions should be documented (ADRs)"
severity: low
check:
type: file_exists
paths:
- "docs/adr/*.md"
- "docs/decisions/*.md"
message: "Consider documenting architecture decisions (ADRs)"

192
.audit-rules/third_party.yaml Normal file
View File

@@ -0,0 +1,192 @@
# Third-Party Risk Rules
# ======================
# Ensures proper management of external dependencies.
# Critical for supply chain security and license compliance.
rules:
# ===================
# DEPENDENCY MANAGEMENT
# ===================
- id: THIRD-DEP-001
name: "Dependency lock file required"
description: "Dependencies must be locked to specific versions"
severity: high
check:
type: file_exists
paths:
- "uv.lock"
- "poetry.lock"
- "requirements.lock"
- "Pipfile.lock"
message: "Dependency lock file required for reproducible builds"
- id: THIRD-DEP-002
name: "Dependencies defined in manifest"
description: "All dependencies must be declared"
severity: critical
check:
type: file_exists
paths:
- "pyproject.toml"
- "requirements.txt"
- "Pipfile"
message: "Dependency manifest file required"
- id: THIRD-DEP-003
name: "Pinned dependency versions"
description: "Production dependencies should have pinned versions"
severity: high
check:
type: pattern_recommended
paths:
- "pyproject.toml"
patterns:
- '>=.*,<|==|~='
message: "Consider pinning dependency version ranges"
# ===================
# VULNERABILITY MANAGEMENT
# ===================
- id: THIRD-VULN-001
name: "Dependency vulnerability scanning"
description: "Dependencies must be scanned for vulnerabilities"
severity: high
check:
type: file_exists
paths:
- ".github/workflows/*.yml"
patterns:
- "safety|pip-audit|snyk|dependabot"
message: "Dependency vulnerability scanning required"
- id: THIRD-VULN-002
name: "Dependabot enabled"
description: "Automated dependency updates should be configured"
severity: medium
check:
type: file_exists
paths:
- ".github/dependabot.yml"
message: "Consider enabling Dependabot for security updates"
- id: THIRD-VULN-003
name: "Container base image scanning"
description: "Container base images should be scanned"
severity: medium
check:
type: pattern_recommended
paths:
- ".github/workflows/*.yml"
patterns:
- "trivy|grype|snyk.*container"
message: "Consider container image vulnerability scanning"
# ===================
# LICENSE COMPLIANCE
# ===================
- id: THIRD-LIC-001
name: "License compatibility check"
description: "Dependency licenses must be compatible"
severity: high
check:
type: documentation
message: "Document license compliance verification process"
- id: THIRD-LIC-002
name: "No copyleft in proprietary code"
description: "GPL/AGPL dependencies require careful handling"
severity: high
check:
type: pattern_forbidden
paths:
- "pyproject.toml"
patterns:
- "gpl|agpl"
case_insensitive: true
message: "Copyleft licenses require legal review"
- id: THIRD-LIC-003
name: "Project license declared"
description: "Project must have explicit license"
severity: medium
check:
type: file_exists
paths:
- "LICENSE"
- "LICENSE.md"
- "LICENSE.txt"
message: "Project license file recommended"
# ===================
# VENDOR ASSESSMENT
# ===================
- id: THIRD-VEND-001
name: "Trusted package sources"
description: "Packages should come from trusted sources"
severity: high
check:
type: pattern_forbidden
paths:
- "pyproject.toml"
- "requirements.txt"
patterns:
- "git\\+http://|--index-url.*http://"
message: "Only HTTPS sources allowed for packages"
- id: THIRD-VEND-002
name: "No direct Git dependencies in production"
description: "Production should use released packages"
severity: medium
check:
type: pattern_recommended
paths:
- "pyproject.toml"
patterns:
- "git\\+"
invert: true
message: "Prefer released packages over Git dependencies"
- id: THIRD-VEND-003
name: "Minimal dependencies"
description: "Only necessary dependencies should be included"
severity: low
check:
type: documentation
message: "Document justification for external dependencies"
# ===================
# SUPPLY CHAIN SECURITY
# ===================
- id: THIRD-CHAIN-001
name: "Package integrity verification"
description: "Package hashes should be verified"
severity: medium
check:
type: pattern_recommended
paths:
- "uv.lock"
- "requirements.txt"
patterns:
- "sha256|hash"
message: "Consider hash verification for packages"
- id: THIRD-CHAIN-002
name: "Signed commits for dependencies"
description: "Critical dependencies should use signed releases"
severity: low
check:
type: documentation
message: "Consider verifying signatures for critical dependencies"
- id: THIRD-CHAIN-003
name: "Private package registry"
description: "Internal packages should use private registry"
severity: low
check:
type: documentation
message: "Document private package registry usage if applicable"