sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
754bfca87d6bd7c024df057520d66a0fbdaeda26
orion/.audit-rules/data_governance.yaml
Samir Boulahtit 92434c8971 feat: add audit validation rules and script 
Import audit rules from scaffold project covering:
- Access control validation
- Audit trail requirements
- Change management policies
- Compliance checks
- Data governance rules
- Documentation requirements
- Third-party dependency checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 09:21:03 +01:00

202 lines
5.7 KiB
YAML
Raw Blame History

# Data Governance Rules
# =====================
# Ensures proper handling of PII, data classification, and retention.
# Critical for GDPR, CCPA, and data privacy compliance.
rules:
# ===================
# PII IDENTIFICATION
# ===================
- id: DATA-PII-001
name: "PII fields must be identified"
description: "Personal Identifiable Information fields must be marked/documented"
severity: high
check:
type: pattern_recommended
paths:
- "models/database/*.py"
patterns:
- "# PII|pii.*=.*True|sensitive.*=.*True"
message: "Consider marking PII fields with comments or metadata"
- id: DATA-PII-002
name: "Email addresses are PII"
description: "Email fields must be treated as PII"
severity: medium
check:
type: documentation
message: "Document email as PII in data classification"
- id: DATA-PII-003
name: "PII must not be logged"
description: "Sensitive data must not appear in logs"
severity: critical
check:
type: pattern_forbidden
paths:
- "app/**/*.py"
- "middleware/**/*.py"
patterns:
- "logger.*password|log.*password"
- "logger.*credit.*card|log.*ssn"
- "print\\(.*password"
message: "PII/sensitive data must not be logged"
# ===================
# DATA CLASSIFICATION
# ===================
- id: DATA-CLASS-001
name: "Data classification scheme"
description: "System must have documented data classification"
severity: medium
check:
type: file_exists
paths:
- "docs/**/data-classification.md"
- "docs/**/data-governance.md"
- "docs/**/security*.md"
message: "Document data classification scheme"
- id: DATA-CLASS-002
name: "Sensitive data encryption at rest"
description: "Highly sensitive data should be encrypted in database"
severity: medium
check:
type: pattern_recommended
paths:
- "models/database/*.py"
patterns:
- "encrypt|EncryptedType|Fernet"
message: "Consider encryption for highly sensitive fields"
- id: DATA-CLASS-003
name: "Data masking in non-production"
description: "PII should be masked in development/test environments"
severity: medium
check:
type: documentation
message: "Document data masking procedures for non-production"
# ===================
# DATA RETENTION
# ===================
- id: DATA-RET-001
name: "Soft delete for audit trail"
description: "Records should use soft delete to maintain audit trail"
severity: medium
check:
type: pattern_recommended
paths:
- "models/database/*.py"
patterns:
- "deleted_at|is_deleted|soft_delete"
message: "Consider soft delete for audit trail preservation"
- id: DATA-RET-002
name: "Data retention policy"
description: "System must have documented data retention policy"
severity: high
check:
type: file_exists
paths:
- "docs/**/retention*.md"
- "docs/**/data*.md"
message: "Document data retention policy"
- id: DATA-RET-003
name: "Automated data cleanup"
description: "Old data should be automatically purged per retention policy"
severity: low
check:
type: pattern_recommended
paths:
- "app/tasks/*.py"
- "scripts/*.py"
patterns:
- "cleanup|purge|archive|retention"
message: "Consider automated data retention enforcement"
# ===================
# DATA PRIVACY RIGHTS
# ===================
- id: DATA-PRIV-001
name: "Right to access (GDPR Art. 15)"
description: "Users must be able to access their personal data"
severity: high
check:
type: pattern_required
paths:
- "app/api/v1/users.py"
patterns:
- "/me|/current|get_current_user"
message: "Endpoint for users to access their data required"
- id: DATA-PRIV-002
name: "Right to erasure (GDPR Art. 17)"
description: "System must support user data deletion requests"
severity: high
check:
type: pattern_recommended
paths:
- "app/api/v1/users.py"
- "app/services/user_service.py"
patterns:
- "delete|remove|erase|anonymize"
message: "Support for user data deletion required"
- id: DATA-PRIV-003
name: "Right to portability (GDPR Art. 20)"
description: "Users should be able to export their data"
severity: medium
check:
type: pattern_recommended
paths:
- "app/api/v1/*.py"
patterns:
- "export|download|portable"
message: "Consider data export functionality for portability"
# ===================
# DATA INTEGRITY
# ===================
- id: DATA-INT-001
name: "Input validation"
description: "All input data must be validated"
severity: high
check:
type: pattern_required
paths:
- "models/schema/*.py"
patterns:
- "Field|validator|field_validator"
message: "Pydantic validation required for data integrity"
- id: DATA-INT-002
name: "Database constraints"
description: "Database should enforce data integrity constraints"
severity: medium
check:
type: pattern_required
paths:
- "models/database/*.py"
patterns:
- "nullable|unique|ForeignKey|CheckConstraint"
message: "Database constraints should enforce data integrity"
- id: DATA-INT-003
name: "Referential integrity"
description: "Foreign key relationships must be properly defined"
severity: medium
check:
type: pattern_required
paths:
- "models/database/*.py"
patterns:
- "ForeignKey|relationship"
message: "Define foreign key relationships for referential integrity"
Reference in New Issue View Git Blame Copy Permalink