Samir Boulahtit
92434c8971
Import audit rules from scaffold project covering: - Access control validation - Audit trail requirements - Change management policies - Compliance checks - Data governance rules - Documentation requirements - Third-party dependency checks 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
192 lines
5.2 KiB
YAML
192 lines
5.2 KiB
YAML
# Compliance Rules
|
|
# =================
|
|
# Ensures adherence to regulatory and internal policy requirements.
|
|
# Covers SOX, GDPR, CCPA, and internal governance policies.
|
|
|
|
rules:
|
|
# ===================
|
|
# REGULATORY COMPLIANCE
|
|
# ===================
|
|
|
|
- id: COMP-REG-001
|
|
name: "Error messages must not expose internals"
|
|
description: "Error responses must not reveal system internals (SOX, security)"
|
|
severity: high
|
|
check:
|
|
type: pattern_forbidden
|
|
paths:
|
|
- "app/exceptions/*.py"
|
|
patterns:
|
|
- "traceback|stack.*trace|sys\\.exc_info"
|
|
exclude_patterns:
|
|
- "if.*debug|if.*development"
|
|
message: "Production errors must not expose stack traces"
|
|
|
|
- id: COMP-REG-002
|
|
name: "HTTPS enforcement"
|
|
description: "All communications must use HTTPS in production"
|
|
severity: critical
|
|
check:
|
|
type: pattern_required
|
|
paths:
|
|
- "app/core/config.py"
|
|
- "main.py"
|
|
patterns:
|
|
- "https|SSL|TLS|SECURE"
|
|
message: "HTTPS configuration required"
|
|
|
|
- id: COMP-REG-003
|
|
name: "Security headers"
|
|
description: "Security headers must be configured"
|
|
severity: high
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "main.py"
|
|
- "middleware/*.py"
|
|
patterns:
|
|
- "X-Frame-Options|X-Content-Type|Strict-Transport|CSP|Content-Security-Policy"
|
|
message: "Consider security headers middleware"
|
|
|
|
# ===================
|
|
# CONSENT MANAGEMENT
|
|
# ===================
|
|
|
|
- id: COMP-CONS-001
|
|
name: "Terms acceptance tracking"
|
|
description: "User acceptance of terms must be recorded"
|
|
severity: medium
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "models/database/user.py"
|
|
patterns:
|
|
- "terms_accepted|consent|accepted_at"
|
|
message: "Consider tracking terms/consent acceptance"
|
|
|
|
- id: COMP-CONS-002
|
|
name: "Cookie consent"
|
|
description: "Cookie usage must comply with consent requirements"
|
|
severity: medium
|
|
check:
|
|
type: documentation
|
|
message: "Document cookie consent mechanism"
|
|
|
|
# ===================
|
|
# FINANCIAL CONTROLS (SOX)
|
|
# ===================
|
|
|
|
- id: COMP-SOX-001
|
|
name: "Financial transaction logging"
|
|
description: "Financial transactions must have complete audit trail"
|
|
severity: critical
|
|
check:
|
|
type: pattern_check
|
|
paths:
|
|
- "app/**/*.py"
|
|
patterns:
|
|
- "payment|transaction|invoice|billing"
|
|
requires:
|
|
- "logger\\."
|
|
message: "Financial operations require audit logging"
|
|
|
|
- id: COMP-SOX-002
|
|
name: "Dual approval for critical operations"
|
|
description: "Critical financial operations should require dual approval"
|
|
severity: medium
|
|
check:
|
|
type: documentation
|
|
message: "Document approval workflow for critical operations"
|
|
|
|
- id: COMP-SOX-003
|
|
name: "Immutable transaction records"
|
|
description: "Financial records must not be modifiable"
|
|
severity: high
|
|
check:
|
|
type: pattern_forbidden
|
|
paths:
|
|
- "app/**/*.py"
|
|
patterns:
|
|
- "update.*transaction|delete.*payment|modify.*invoice"
|
|
message: "Financial records should be immutable"
|
|
|
|
# ===================
|
|
# INTERNAL POLICIES
|
|
# ===================
|
|
|
|
- id: COMP-POL-001
|
|
name: "Code review requirement"
|
|
description: "Code changes must go through review process"
|
|
severity: high
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- ".github/PULL_REQUEST_TEMPLATE.md"
|
|
- "CONTRIBUTING.md"
|
|
- ".github/workflows/*.yml"
|
|
message: "Code review process must be documented/enforced"
|
|
|
|
- id: COMP-POL-002
|
|
name: "Change approval documentation"
|
|
description: "Changes must have documented approval"
|
|
severity: medium
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- ".github/CODEOWNERS"
|
|
- ".github/workflows/*.yml"
|
|
message: "Document change approval requirements"
|
|
|
|
- id: COMP-POL-003
|
|
name: "Incident response documentation"
|
|
description: "Incident response procedures must be documented"
|
|
severity: medium
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- "docs/**/incident*.md"
|
|
- "docs/**/security*.md"
|
|
- "SECURITY.md"
|
|
message: "Document incident response procedures"
|
|
|
|
# ===================
|
|
# EVIDENCE COLLECTION
|
|
# ===================
|
|
|
|
- id: COMP-EVID-001
|
|
name: "Automated testing evidence"
|
|
description: "Test results must be captured for audit evidence"
|
|
severity: medium
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- ".github/workflows/ci.yml"
|
|
- "pytest.ini"
|
|
- "pyproject.toml"
|
|
patterns:
|
|
- "pytest|test|coverage"
|
|
message: "Automated testing must be configured"
|
|
|
|
- id: COMP-EVID-002
|
|
name: "Deployment audit trail"
|
|
description: "Deployments must be logged and traceable"
|
|
severity: high
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- ".github/workflows/*.yml"
|
|
patterns:
|
|
- "deploy|release"
|
|
message: "Deployment process must be automated and logged"
|
|
|
|
- id: COMP-EVID-003
|
|
name: "Version control usage"
|
|
description: "All code must be version controlled"
|
|
severity: critical
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- ".git"
|
|
- ".gitignore"
|
|
message: "Version control is required"
|