feat: add audit validation rules and script

Import audit rules from scaffold project covering: - Access control validation - Audit trail requirements - Change management policies - Compliance checks - Data governance rules - Documentation requirements - Third-party dependency checks 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 09:21:03 +01:00
parent ff2f475ae4
commit 92434c8971
10 changed files with 2055 additions and 437 deletions
--- a/.audit-rules/_main.yaml
+++ b/.audit-rules/_main.yaml
@@ -0,0 +1,59 @@
+# IT Internal Audit Rules
+# ========================
+# These rules ensure compliance with internal governance policies,
+# regulatory requirements, and audit best practices.
+#
+# Purpose: Independent verification of controls for:
+# - SOX compliance (financial systems)
+# - GDPR/CCPA compliance (data privacy)
+# - Internal governance policies
+# - Risk management frameworks
+
+version: "1.0"
+name: "IT Internal Audit Rules"
+
+# Rule categories and their weights for scoring
+categories:
+  audit_trail:
+    weight: 25
+    description: "Logging, traceability, and audit log integrity"
+  access_control:
+    weight: 20
+    description: "Authentication, authorization, and least privilege"
+  data_governance:
+    weight: 20
+    description: "PII handling, data classification, and retention"
+  compliance:
+    weight: 15
+    description: "Regulatory and policy compliance"
+  change_management:
+    weight: 10
+    description: "Version control, approvals, and rollback"
+  third_party:
+    weight: 5
+    description: "Dependency management and license compliance"
+  documentation:
+    weight: 5
+    description: "Required documentation and traceability"
+
+# Minimum passing score (percentage)
+minimum_score: 80
+
+# Files/directories to exclude from audit
+excluded_paths:
+  - ".venv/"
+  - "__pycache__/"
+  - ".git/"
+  - "node_modules/"
+  - ".pytest_cache/"
+  - "htmlcov/"
+  - "site/"
+  - ".mypy_cache/"
+
+# Severity levels
+severity_levels:
+  critical: "Must be fixed immediately - audit finding"
+  high: "Must be fixed before next audit cycle"
+  medium: "Should be addressed in remediation plan"
+  low: "Recommendation for improvement"
+  info: "Informational observation"