Samir Boulahtit
b382090771
Some checks failed
- Delete .gitlab-ci.yml (replaced by .gitea/workflows/ci.yml) - Delete docs/deployment/gitlab.md (superseded by gitea.md) - Update audit rules to reference .gitea/workflows/*.yml - Update validate_audit.py to check Gitea CI paths - Clean up GitLab references in gitea.md, mkdocs.yml, .dockerignore - Mark IPv6 AAAA records as completed in hetzner docs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
196 lines
5.3 KiB
YAML
196 lines
5.3 KiB
YAML
# Third-Party Risk Rules
|
|
# ======================
|
|
# Ensures proper management of external dependencies.
|
|
# Critical for supply chain security and license compliance.
|
|
|
|
rules:
|
|
# ===================
|
|
# DEPENDENCY MANAGEMENT
|
|
# ===================
|
|
|
|
- id: THIRD-DEP-001
|
|
name: "Dependency lock file required"
|
|
description: "Dependencies must be locked to specific versions"
|
|
severity: high
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- "uv.lock"
|
|
- "poetry.lock"
|
|
- "requirements.lock"
|
|
- "Pipfile.lock"
|
|
message: "Dependency lock file required for reproducible builds"
|
|
|
|
- id: THIRD-DEP-002
|
|
name: "Dependencies defined in manifest"
|
|
description: "All dependencies must be declared"
|
|
severity: critical
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- "pyproject.toml"
|
|
- "requirements.txt"
|
|
- "Pipfile"
|
|
message: "Dependency manifest file required"
|
|
|
|
- id: THIRD-DEP-003
|
|
name: "Pinned dependency versions"
|
|
description: "Production dependencies should have pinned versions"
|
|
severity: high
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "pyproject.toml"
|
|
patterns:
|
|
- '>=.*,<|==|~='
|
|
message: "Consider pinning dependency version ranges"
|
|
|
|
# ===================
|
|
# VULNERABILITY MANAGEMENT
|
|
# ===================
|
|
|
|
- id: THIRD-VULN-001
|
|
name: "Dependency vulnerability scanning"
|
|
description: "Dependencies must be scanned for vulnerabilities"
|
|
severity: high
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- ".github/workflows/*.yml"
|
|
- ".gitea/workflows/*.yml"
|
|
patterns:
|
|
- "safety|pip-audit|snyk|dependabot"
|
|
message: "Dependency vulnerability scanning required"
|
|
|
|
- id: THIRD-VULN-002
|
|
name: "Dependabot enabled"
|
|
description: "Automated dependency updates should be configured"
|
|
severity: medium
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- ".github/dependabot.yml"
|
|
- ".gitea/workflows/*.yml"
|
|
message: "Consider enabling Dependabot for security updates"
|
|
|
|
- id: THIRD-VULN-003
|
|
name: "Container base image scanning"
|
|
description: "Container base images should be scanned"
|
|
severity: medium
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- ".github/workflows/*.yml"
|
|
- ".gitea/workflows/*.yml"
|
|
patterns:
|
|
- "trivy|grype|snyk.*container"
|
|
message: "Consider container image vulnerability scanning"
|
|
|
|
# ===================
|
|
# LICENSE COMPLIANCE
|
|
# ===================
|
|
|
|
- id: THIRD-LIC-001
|
|
name: "License compatibility check"
|
|
description: "Dependency licenses must be compatible"
|
|
severity: high
|
|
check:
|
|
type: documentation
|
|
message: "Document license compliance verification process"
|
|
|
|
- id: THIRD-LIC-002
|
|
name: "No copyleft in proprietary code"
|
|
description: "GPL/AGPL dependencies require careful handling"
|
|
severity: high
|
|
check:
|
|
type: pattern_forbidden
|
|
paths:
|
|
- "pyproject.toml"
|
|
patterns:
|
|
- "gpl|agpl"
|
|
case_insensitive: true
|
|
message: "Copyleft licenses require legal review"
|
|
|
|
- id: THIRD-LIC-003
|
|
name: "Project license declared"
|
|
description: "Project must have explicit license"
|
|
severity: medium
|
|
check:
|
|
type: file_exists
|
|
paths:
|
|
- "LICENSE"
|
|
- "LICENSE.md"
|
|
- "LICENSE.txt"
|
|
message: "Project license file recommended"
|
|
|
|
# ===================
|
|
# VENDOR ASSESSMENT
|
|
# ===================
|
|
|
|
- id: THIRD-VEND-001
|
|
name: "Trusted package sources"
|
|
description: "Packages should come from trusted sources"
|
|
severity: high
|
|
check:
|
|
type: pattern_forbidden
|
|
paths:
|
|
- "pyproject.toml"
|
|
- "requirements.txt"
|
|
patterns:
|
|
- "git\\+http://|--index-url.*http://"
|
|
message: "Only HTTPS sources allowed for packages"
|
|
|
|
- id: THIRD-VEND-002
|
|
name: "No direct Git dependencies in production"
|
|
description: "Production should use released packages"
|
|
severity: medium
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "pyproject.toml"
|
|
patterns:
|
|
- "git\\+"
|
|
invert: true
|
|
message: "Prefer released packages over Git dependencies"
|
|
|
|
- id: THIRD-VEND-003
|
|
name: "Minimal dependencies"
|
|
description: "Only necessary dependencies should be included"
|
|
severity: low
|
|
check:
|
|
type: documentation
|
|
message: "Document justification for external dependencies"
|
|
|
|
# ===================
|
|
# SUPPLY CHAIN SECURITY
|
|
# ===================
|
|
|
|
- id: THIRD-CHAIN-001
|
|
name: "Package integrity verification"
|
|
description: "Package hashes should be verified"
|
|
severity: medium
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "uv.lock"
|
|
- "requirements.txt"
|
|
patterns:
|
|
- "sha256|hash"
|
|
message: "Consider hash verification for packages"
|
|
|
|
- id: THIRD-CHAIN-002
|
|
name: "Signed commits for dependencies"
|
|
description: "Critical dependencies should use signed releases"
|
|
severity: low
|
|
check:
|
|
type: documentation
|
|
message: "Consider verifying signatures for critical dependencies"
|
|
|
|
- id: THIRD-CHAIN-003
|
|
name: "Private package registry"
|
|
description: "Internal packages should use private registry"
|
|
severity: low
|
|
check:
|
|
type: documentation
|
|
message: "Document private package registry usage if applicable"
|