@greenarmor/ges-policy-engine 0.6.0 → 0.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/packs/cis.js +5 -2
- package/dist/packs/nist.js +15 -0
- package/package.json +3 -3
package/dist/packs/cis.js
CHANGED
|
@@ -17,15 +17,18 @@ export function createCISPolicyPack() {
|
|
|
17
17
|
{
|
|
18
18
|
id: "CIS-002",
|
|
19
19
|
name: "Inventory of Authorized and Unauthorized Software",
|
|
20
|
-
description: "Maintain a software inventory.",
|
|
20
|
+
description: "Maintain a software inventory via SBOM generation and scanning.",
|
|
21
21
|
category: "asset-management",
|
|
22
22
|
framework: "CIS",
|
|
23
23
|
status: "not-implemented",
|
|
24
24
|
severity: "high",
|
|
25
|
-
implementation_guidance: "
|
|
25
|
+
implementation_guidance: "Generate SBOM in CycloneDX or SPDX format using Syft or Trivy. Scan SBOM for vulnerabilities using Grype. Automate SBOM generation in CI/CD pipeline. Store SBOM artifacts alongside release artifacts.",
|
|
26
26
|
checks: [
|
|
27
27
|
{ id: "CIS-002-C1", description: "Software inventory (SBOM) maintained", status: "not-implemented" },
|
|
28
28
|
{ id: "CIS-002-C2", description: "Dependency scanning implemented", status: "not-implemented" },
|
|
29
|
+
{ id: "CIS-002-C3", description: "SBOM generated in CycloneDX or SPDX format", status: "not-implemented" },
|
|
30
|
+
{ id: "CIS-002-C4", description: "SBOM vulnerability scanning configured", status: "not-implemented" },
|
|
31
|
+
{ id: "CIS-002-C5", description: "SBOM generation automated in CI/CD", status: "not-implemented" },
|
|
29
32
|
],
|
|
30
33
|
},
|
|
31
34
|
{
|
package/dist/packs/nist.js
CHANGED
|
@@ -87,6 +87,21 @@ export function createNISTPolicyPack() {
|
|
|
87
87
|
{ id: "NIST-RC-001-C3", description: "Regular recovery tests", status: "not-implemented" },
|
|
88
88
|
],
|
|
89
89
|
},
|
|
90
|
+
{
|
|
91
|
+
id: "NIST-ID-002",
|
|
92
|
+
name: "Supply Chain Risk Management",
|
|
93
|
+
description: "Identify and manage supply chain risks through software Bill of Materials (SBOM).",
|
|
94
|
+
category: "identify",
|
|
95
|
+
framework: "NIST",
|
|
96
|
+
status: "not-implemented",
|
|
97
|
+
severity: "high",
|
|
98
|
+
implementation_guidance: "Generate SBOM for all software components using Syft or Trivy. Scan SBOM for known vulnerabilities using Grype. Automate SBOM generation in CI/CD. Enforce SBOM-based policies for third-party dependencies.",
|
|
99
|
+
checks: [
|
|
100
|
+
{ id: "NIST-ID-002-C1", description: "SBOM generated for all dependencies", status: "not-implemented" },
|
|
101
|
+
{ id: "NIST-ID-002-C2", description: "SBOM vulnerability scanning automated", status: "not-implemented" },
|
|
102
|
+
{ id: "NIST-ID-002-C3", description: "Third-party dependency risk assessed", status: "not-implemented" },
|
|
103
|
+
],
|
|
104
|
+
},
|
|
90
105
|
];
|
|
91
106
|
return {
|
|
92
107
|
id: "nist",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@greenarmor/ges-policy-engine",
|
|
3
|
-
"version": "0.6.
|
|
3
|
+
"version": "0.6.1",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "GESF Policy Engine - Policy packs management and enforcement",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -12,8 +12,8 @@
|
|
|
12
12
|
}
|
|
13
13
|
},
|
|
14
14
|
"dependencies": {
|
|
15
|
-
"@greenarmor/ges-
|
|
16
|
-
"@greenarmor/ges-
|
|
15
|
+
"@greenarmor/ges-core": "0.6.1",
|
|
16
|
+
"@greenarmor/ges-compliance-engine": "0.6.1"
|
|
17
17
|
},
|
|
18
18
|
"devDependencies": {
|
|
19
19
|
"typescript": "^6.0.0",
|