sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0c6d8409c77246529dd68bf336b04a329ea923d4
orion/.audit-rules/compliance.yaml
Samir Boulahtit b382090771
Some checks failed
CI / ruff (push) Successful in 12s
Details
CI / validate (push) Has been cancelled
Details
CI / dependency-scanning (push) Has been cancelled
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details
refactor: remove GitLab CI config and docs after full Gitea migration 
- Delete .gitlab-ci.yml (replaced by .gitea/workflows/ci.yml)
- Delete docs/deployment/gitlab.md (superseded by gitea.md)
- Update audit rules to reference .gitea/workflows/*.yml
- Update validate_audit.py to check Gitea CI paths
- Clean up GitLab references in gitea.md, mkdocs.yml, .dockerignore
- Mark IPv6 AAAA records as completed in hetzner docs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 19:28:35 +01:00

197 lines
5.4 KiB
YAML
Raw Blame History

# Compliance Rules
# =================
# Ensures adherence to regulatory and internal policy requirements.
# Covers SOX, GDPR, CCPA, and internal governance policies.
rules:
# ===================
# REGULATORY COMPLIANCE
# ===================
- id: COMP-REG-001
name: "Error messages must not expose internals"
description: "Error responses must not reveal system internals (SOX, security)"
severity: high
check:
type: pattern_forbidden
paths:
- "app/exceptions/*.py"
patterns:
- "traceback|stack.*trace|sys\\.exc_info"
exclude_patterns:
- "if.*debug|if.*development"
message: "Production errors must not expose stack traces"
- id: COMP-REG-002
name: "HTTPS enforcement"
description: "All communications must use HTTPS in production"
severity: critical
check:
type: pattern_required
paths:
- "app/core/config.py"
- "main.py"
patterns:
- "https|SSL|TLS|SECURE"
message: "HTTPS configuration required"
- id: COMP-REG-003
name: "Security headers"
description: "Security headers must be configured"
severity: high
check:
type: pattern_recommended
paths:
- "main.py"
- "middleware/*.py"
patterns:
- "X-Frame-Options|X-Content-Type|Strict-Transport|CSP|Content-Security-Policy"
message: "Consider security headers middleware"
# ===================
# CONSENT MANAGEMENT
# ===================
- id: COMP-CONS-001
name: "Terms acceptance tracking"
description: "User acceptance of terms must be recorded"
severity: medium
check:
type: pattern_recommended
paths:
- "models/database/user.py"
patterns:
- "terms_accepted|consent|accepted_at"
message: "Consider tracking terms/consent acceptance"
- id: COMP-CONS-002
name: "Cookie consent"
description: "Cookie usage must comply with consent requirements"
severity: medium
check:
type: documentation
message: "Document cookie consent mechanism"
# ===================
# FINANCIAL CONTROLS (SOX)
# ===================
- id: COMP-SOX-001
name: "Financial transaction logging"
description: "Financial transactions must have complete audit trail"
severity: critical
check:
type: pattern_check
paths:
- "app/**/*.py"
patterns:
- "payment|transaction|invoice|billing"
requires:
- "logger\\."
message: "Financial operations require audit logging"
- id: COMP-SOX-002
name: "Dual approval for critical operations"
description: "Critical financial operations should require dual approval"
severity: medium
check:
type: documentation
message: "Document approval workflow for critical operations"
- id: COMP-SOX-003
name: "Immutable transaction records"
description: "Financial records must not be modifiable"
severity: high
check:
type: pattern_forbidden
paths:
- "app/**/*.py"
patterns:
- "update.*transaction|delete.*payment|modify.*invoice"
message: "Financial records should be immutable"
# ===================
# INTERNAL POLICIES
# ===================
- id: COMP-POL-001
name: "Code review requirement"
description: "Code changes must go through review process"
severity: high
check:
type: file_exists
paths:
- ".github/PULL_REQUEST_TEMPLATE.md"
- "CONTRIBUTING.md"
- ".github/workflows/*.yml"
- ".gitea/workflows/*.yml"
message: "Code review process must be documented/enforced"
- id: COMP-POL-002
name: "Change approval documentation"
description: "Changes must have documented approval"
severity: medium
check:
type: file_exists
paths:
- ".github/CODEOWNERS"
- "CODEOWNERS"
- ".github/workflows/*.yml"
- ".gitea/workflows/*.yml"
message: "Document change approval requirements"
- id: COMP-POL-003
name: "Incident response documentation"
description: "Incident response procedures must be documented"
severity: medium
check:
type: file_exists
paths:
- "docs/**/incident*.md"
- "docs/**/security*.md"
- "SECURITY.md"
message: "Document incident response procedures"
# ===================
# EVIDENCE COLLECTION
# ===================
- id: COMP-EVID-001
name: "Automated testing evidence"
description: "Test results must be captured for audit evidence"
severity: medium
check:
type: file_exists
paths:
- ".github/workflows/ci.yml"
- ".gitea/workflows/*.yml"
- "pytest.ini"
- "pyproject.toml"
patterns:
- "pytest|test|coverage"
message: "Automated testing must be configured"
- id: COMP-EVID-002
name: "Deployment audit trail"
description: "Deployments must be logged and traceable"
severity: high
check:
type: file_exists
paths:
- ".github/workflows/*.yml"
- ".gitea/workflows/*.yml"
patterns:
- "deploy|release"
message: "Deployment process must be automated and logged"
- id: COMP-EVID-003
name: "Version control usage"
description: "All code must be version controlled"
severity: critical
check:
type: file_exists
paths:
- ".git"
- ".gitignore"
message: "Version control is required"
Reference in New Issue View Git Blame Copy Permalink