@kaademos/secure-sdlc 1.0.0

package/docs/templates/infra-security-review.md

@@ -0,0 +1,133 @@
+# Infrastructure Security Review — [Feature / Release Name]
+
+**Feature / Release:** [Description]
+**Date:** [YYYY-MM-DD]
+**Author:** Cloud/Platform Engineer Agent + [Human reviewer]
+**Scope:** [IaC changes, new services, pipeline changes — list what was reviewed]
+**Status:** Draft / Review / Approved
+
+---
+
+## Scope of Review
+
+### Changes reviewed
+
+| Change | Type | Files / Resources | Notes |
+|--------|------|-------------------|-------|
+| [e.g. New RDS instance] | Terraform | `infra/modules/db/main.tf` | |
+| [e.g. New S3 bucket for uploads] | Terraform | `infra/storage/uploads.tf` | |
+| [e.g. Updated ECS task definition] | Terraform | `infra/ecs/api.tf` | |
+
+### Out of scope
+
+[What was not reviewed and why — e.g. existing unchanged infrastructure, third-party managed services]
+
+---
+
+## Identity and Access Management
+
+| Check | Status | Finding | Severity | Notes |
+|-------|--------|---------|----------|-------|
+| IAM roles follow least-privilege | ✅ Pass / ⚠️ Finding / 🚫 Fail | | | |
+| No wildcard (`*`) permissions without justification | | | | |
+| Service accounts / managed identities used (no long-lived keys) | | | | |
+| MFA enforced on all human accounts with console access | | | | |
+| Cross-account roles reviewed | | | | |
+
+---
+
+## Network Security
+
+| Check | Status | Finding | Severity | Notes |
+|-------|--------|---------|----------|-------|
+| Security groups follow deny-by-default | ✅ Pass / ⚠️ Finding / 🚫 Fail | | | |
+| No 0.0.0.0/0 ingress except LB ports 80/443 | | | | |
+| Databases and internal services in private subnets | | | | |
+| VPC flow logs enabled | | | | |
+| WAF configured for public-facing endpoints | | | | |
+
+---
+
+## Data Security
+
+| Check | Status | Finding | Severity | Notes |
+|-------|--------|---------|----------|-------|
+| Storage buckets / blobs private by default | ✅ Pass / ⚠️ Finding / 🚫 Fail | | | |
+| Encryption at rest enabled | | | | |
+| Encryption in transit enforced (TLS 1.2 minimum) | | | | |
+| Database backup encryption and access controls in place | | | | |
+| Data retention policy applied to new stores | | | | |
+
+---
+
+## Compute and Containers
+
+| Check | Status | Finding | Severity | Notes |
+|-------|--------|---------|----------|-------|
+| Container images built from minimal, pinned base images | ✅ Pass / ⚠️ Finding / 🚫 Fail | | | |
+| Images scanned for CVEs before deployment | | | | |
+| Containers run as non-root | | | | |
+| Read-only root filesystems where possible | | | | |
+| Pod Security Standards enforced (Kubernetes) | | | | |
+| Network policies applied (Kubernetes) | | | | |
+| No privileged containers | | | | |
+
+---
+
+## Secrets Management
+
+| Check | Status | Finding | Severity | Notes |
+|-------|--------|---------|----------|-------|
+| No secrets in environment variables, config files, or code | ✅ Pass / ⚠️ Finding / 🚫 Fail | | | |
+| Secrets stored in approved secrets manager | | | | |
+| Secret rotation policy defined and automated where possible | | | | |
+| CI/CD uses short-lived credentials (OIDC where available) | | | | |
+
+---
+
+## Logging and Monitoring
+
+| Check | Status | Finding | Severity | Notes |
+|-------|--------|---------|----------|-------|
+| Audit logs enabled and retained ≥ 90 days | ✅ Pass / ⚠️ Finding / 🚫 Fail | | | |
+| Alerts configured for key security events | | | | |
+| SIEM integration or log aggregation in place | | | | |
+| Runtime threat detection enabled | | | | |
+
+---
+
+## CI/CD Pipeline Integrity
+
+| Check | Status | Finding | Severity | Notes |
+|-------|--------|---------|----------|-------|
+| Build artefacts signed (SLSA / Sigstore / cosign) | ✅ Pass / ⚠️ Finding / 🚫 Fail | | | |
+| SBOM generated | | | | |
+| Third-party pipeline actions pinned to commit SHAs | | | | |
+| Dependency versions pinned (no `latest` tags) | | | | |
+
+---
+
+## Findings Summary
+
+| ID | Severity | Description | Resource | Recommendation | Status | Owner |
+|----|----------|-------------|----------|----------------|--------|-------|
+| IF-001 | CRITICAL / HIGH / MEDIUM / LOW | [Finding description] | [Terraform resource or ARN] | [What to fix] | Open / Mitigated | |
+
+---
+
+## Decisions and Accepted Deviations
+
+Document any approved deviations from the standard checklist:
+
+| Check | Deviation | Justification | Approver | Review date |
+|-------|-----------|---------------|----------|-------------|
+| | | | | |
+
+---
+
+## Sign-off
+
+| Role | Name | Date | Status |
+|------|------|------|--------|
+| Cloud/Platform Engineer | | | Approved / Pending |
+| Engineering Lead | | | Approved / Pending |

package/docs/templates/release-sign-off.md

@@ -0,0 +1,119 @@
+# Release Security Sign-Off — v[X.Y.Z]
+
+**Release version:** v[X.Y.Z]
+**Release date:** [YYYY-MM-DD]
+**Release Manager:** Release Manager Agent + [Human approver]
+**Decision:** PENDING / ✅ GO / 🚫 NO-GO
+
+---
+
+## Pre-Release Checklist
+
+### Phase artefacts
+
+| Artefact | Location | Status | Notes |
+|----------|----------|--------|-------|
+| Security requirements | `docs/security-requirements.md` | ✅ Complete / ⚠️ Incomplete / 🚫 Missing | |
+| Risk register | `docs/risk-register.md` | | |
+| Threat model | `docs/threat-model.md` | | |
+| Infrastructure security review | `docs/infra-security-review.md` | | |
+| SAST findings | `docs/sast-findings.md` | | |
+| Test security report | `docs/test-security-report.md` | | |
+| Compliance attestation | `docs/audit-evidence/compliance-attestation-vX.Y.Z.md` | | |
+
+---
+
+### Application security gate
+
+| Check | Status | Evidence | Notes |
+|-------|--------|----------|-------|
+| No unmitigated CRITICAL vulnerabilities | ✅ Pass / 🚫 Fail | | |
+| No unmitigated HIGH vulnerabilities (or formal accepted risk) | | | |
+| All ASVS requirements satisfied or formally deferred | | | |
+| Dependency scan clean (no CRITICAL CVEs in direct deps) | | | |
+| Security regression tests pass | | | |
+| DAST / pentest completed and findings triaged | | | |
+
+---
+
+### Infrastructure and platform gate
+
+| Check | Status | Evidence | Notes |
+|-------|--------|----------|-------|
+| No CRITICAL or HIGH CSPM findings outstanding | ✅ Pass / 🚫 Fail | | |
+| Secret scan clean — no hardcoded secrets in release branch | | | |
+| TLS configuration verified on all public endpoints | | | |
+| WAF rules reviewed and updated for new attack surface | | | |
+| Production access controls reviewed | | | |
+| Secrets rotation completed where applicable | | | |
+
+---
+
+### Compliance gate
+
+| Check | Status | Evidence | Notes |
+|-------|--------|----------|-------|
+| GRC compliance attestation produced | ✅ Pass / 🚫 Fail | | |
+| No blocking compliance gaps | | | |
+| Audit evidence collected for all changed controls | | | |
+
+---
+
+### Operational readiness
+
+| Check | Status | Notes |
+|-------|--------|-------|
+| Security monitoring covers new features | ✅ Pass / 🚫 Fail | |
+| Incident response runbook updated | | |
+| On-call team briefed on security-relevant changes | | |
+| Rollback plan documented | | |
+
+---
+
+## Gate Summary
+
+| Gate | Result | Blocker count | Notes |
+|------|--------|--------------|-------|
+| Application Security | ✅ PASS / 🚫 FAIL | | |
+| Infrastructure Security | ✅ PASS / 🚫 FAIL | | |
+| Compliance | ✅ PASS / 🚫 FAIL | | |
+| Operational Readiness | ✅ PASS / 🚫 FAIL | | |
+
+---
+
+## Outstanding Items
+
+Items waived, accepted, or deferred for this release:
+
+| Item | Risk ID | Justification | Owner | Resolution date |
+|------|---------|---------------|-------|----------------|
+| | | | | |
+
+---
+
+## Blockers (NO-GO only)
+
+| Blocker | Severity | Owner | Required action | Target date |
+|---------|----------|-------|-----------------|-------------|
+| | | | | |
+
+---
+
+## Decision
+
+**Decision:** ✅ GO / 🚫 NO-GO
+
+**Rationale:**
+[Brief summary of the security posture of this release and the basis for the decision]
+
+---
+
+## Authorisation
+
+This sign-off has been produced by the Release Manager Agent. Human authorisation is
+required before deployment to production.
+
+| Role | Name | Signature | Date |
+|------|------|-----------|------|
+| Release Manager Agent | (automated) | — | [YYYY-MM-DD] |
+| [CISO / Engineering Director / as per release policy] | | | |

package/docs/templates/risk-register.md

@@ -0,0 +1,72 @@
+# Risk Register
+
+**Project / Feature:** [Name]
+**Last updated:** [YYYY-MM-DD]
+**Owner:** GRC Analyst Agent + [Human GRC lead]
+
+---
+
+## Risk Scoring Guide
+
+**Likelihood:** 1 (Rare) → 2 (Unlikely) → 3 (Possible) → 4 (Likely) → 5 (Almost certain)
+**Impact:** 1 (Negligible) → 2 (Minor) → 3 (Moderate) → 4 (Major) → 5 (Critical)
+**Inherent risk score** = Likelihood × Impact
+
+| Score | Rating |
+|-------|--------|
+| 1–4 | LOW |
+| 5–9 | MEDIUM |
+| 10–16 | HIGH |
+| 17–25 | CRITICAL |
+
+---
+
+## Active Risks
+
+| Risk ID | Description | Category | Likelihood | Impact | Inherent Score | Inherent Rating | Control(s) | Residual Score | Residual Rating | Owner | Status | Due Date | Notes |
+|---------|-------------|----------|------------|--------|----------------|-----------------|------------|----------------|-----------------|-------|--------|----------|-------|
+| R-001 | [Risk description] | [App / Infra / People / Process / Compliance] | [1-5] | [1-5] | [L×I] | [LOW/MED/HIGH/CRIT] | [Control description] | [1-5] | [LOW/MED/HIGH/CRIT] | [Owner] | [Open / Mitigated / Accepted / Transferred] | [YYYY-MM-DD] | |
+
+**Category definitions:**
+- **Application** — vulnerabilities in application code or logic
+- **Infrastructure** — cloud, platform, or network-layer risks
+- **People** — insider threat, privilege misuse, human error
+- **Process** — gaps in process, oversight, or governance
+- **Compliance** — regulatory or contractual obligations at risk
+
+---
+
+## Accepted Risks
+
+Risks that have been formally accepted rather than mitigated. Each requires documented
+business justification and an approver of appropriate seniority.
+
+| Risk ID | Description | Residual Rating | Business Justification | Approver | Approval Date | Review Date |
+|---------|-------------|-----------------|------------------------|----------|--------------|-------------|
+| | | | | | | |
+
+---
+
+## Closed Risks
+
+| Risk ID | Description | Closure Reason | Closure Date |
+|---------|-------------|---------------|-------------|
+| | | [Mitigated / No longer applicable / Duplicate] | |
+
+---
+
+## Compliance Control Mapping
+
+Map risks to applicable framework controls to show coverage:
+
+| Risk ID | ASVS Ref | SOC 2 | ISO 27001 | NIST CSF | PCI DSS | GDPR |
+|---------|----------|-------|-----------|----------|---------|------|
+| R-001 | | | | | | |
+
+---
+
+## Review History
+
+| Date | Reviewer | Changes made |
+|------|----------|-------------|
+| [YYYY-MM-DD] | | Initial version |

package/docs/templates/sast-findings.md

@@ -0,0 +1,110 @@
+# SAST Findings — [Feature / PR / Branch]
+
+**Feature / PR / Branch:** [e.g. PR #42 — login endpoint / feature/user-auth]
+**Date:** [YYYY-MM-DD]
+**Tool(s):** [e.g. Semgrep, Checkmarx, Snyk Code, SonarQube]
+**Author:** AppSec Engineer Agent + Dev Lead Agent + [Human reviewer]
+**Status:** Open / In Remediation / Resolved
+
+---
+
+## Summary
+
+| Severity | Total | Confirmed | False Positive | Needs Review | Resolved |
+|----------|-------|-----------|---------------|-------------|---------|
+| CRITICAL | | | | | |
+| HIGH | | | | | |
+| MEDIUM | | | | | |
+| LOW | | | | | |
+| INFO | | | | | |
+| **Total** | | | | | |
+
+**Gate status:**
+- CRITICAL confirmed findings: [N] — [Blocks merge / All resolved]
+- HIGH confirmed findings: [N] — [Blocks release / All resolved]
+
+---
+
+## Findings
+
+---
+
+### [SF-001] — [Tool Rule ID] — [Finding Title]
+
+**File:** `path/to/file.ext:line_number`
+**Severity:** CRITICAL / HIGH / MEDIUM / LOW / INFO
+**Status:** Confirmed / False Positive / Needs Review / Resolved
+**CWE:** [CWE-XXX — Name]
+**OWASP Top 10:** [A0X:Year — Category] *(if applicable)*
+**ASVS Ref:** [V.X.Y.Z] *(from security-requirements.md)*
+
+**What the scanner found:**
+```
+[Paste the relevant code snippet — anonymised if needed]
+```
+
+**Why this matters (plain English):**
+[Explain the vulnerability and its real-world impact without jargon. Write this for the
+developer who owns the fix, not for an auditor.]
+
+**Confirmed exploitable:** Yes / No / Unknown
+[If No or Unknown, explain why — e.g. "the affected function is only reachable from an
+authenticated admin context, reducing exploitability significantly"]
+
+**Remediation:**
+[Concrete fix with a code example where possible]
+
+```
+[Example of the corrected code]
+```
+
+**References:**
+- OWASP: [relevant link]
+- ASVS: [control reference]
+
+**Owner:** [Developer / team]
+**Target resolution date:** [YYYY-MM-DD]
+**Resolved date:** [YYYY-MM-DD or —]
+
+---
+
+### [SF-002] — [Tool Rule ID] — [Finding Title]
+
+*(Copy the block above for each finding)*
+
+---
+
+## False Positives
+
+Document findings marked as false positives so the reasoning is auditable:
+
+| ID | Tool Rule | File:Line | Reason for FP determination | Reviewer | Date |
+|----|-----------|-----------|----------------------------|----------|------|
+| | | | | | |
+
+---
+
+## Suppressed / Accepted Findings
+
+Findings that are confirmed but have been formally accepted rather than fixed:
+
+| ID | Severity | Description | Business Justification | Approver | Review Date | Risk Register Ref |
+|----|----------|-------------|------------------------|----------|-------------|-------------------|
+| | | | | | | |
+
+---
+
+## Remediation Tracking
+
+| ID | Severity | Finding | Owner | Target Date | Status | PR / Commit |
+|----|----------|---------|-------|-------------|--------|-------------|
+| SF-001 | | | | | Open / In Progress / Resolved | |
+
+---
+
+## Review History
+
+| Date | Reviewer | Action |
+|------|----------|--------|
+| [YYYY-MM-DD] | AppSec Engineer Agent | Initial triage |
+| | | |

package/docs/templates/security-requirements.md

@@ -0,0 +1,98 @@
+# Security Requirements — [Feature Name]
+
+**Feature:** [Brief description of what is being built]
+**Date:** [YYYY-MM-DD]
+**Author:** Product Manager Agent + [Human reviewer]
+**ASVS Target Level:** L1 / L2 / L3
+**Status:** Draft / Review / Approved
+
+---
+
+## Actors
+
+List every actor that interacts with this feature:
+
+| Actor | Type | Trust Level | Notes |
+|-------|------|------------|-------|
+| [e.g. Authenticated user] | Human | Low | Standard registered user |
+| [e.g. Admin] | Human | Medium | Internal staff with elevated access |
+| [e.g. Payment service] | System | High | Third-party integration via API key |
+
+---
+
+## Security Requirements
+
+| ID | Requirement | ASVS Ref | Priority | Acceptance Criteria | Status |
+|----|-------------|----------|----------|---------------------|--------|
+| SR-001 | [Requirement text] | V[X.Y.Z] | MUST / SHOULD / MAY | [Testable criterion] | Open |
+| SR-002 | | | | | |
+| SR-003 | | | | | |
+
+**Priority definitions:**
+- MUST — non-negotiable; feature cannot ship without this
+- SHOULD — strong preference; requires documented justification to defer
+- MAY — nice to have; defer if time-constrained
+
+**Common ASVS references by topic:**
+
+| Topic | ASVS Chapter |
+|-------|-------------|
+| Authentication | V2 |
+| Session management | V3 |
+| Access control | V4 |
+| Input validation | V5 |
+| Cryptography | V6 |
+| Error handling / logging | V7 |
+| Data protection | V8 |
+| Communications security | V9 |
+| API security | V13 |
+
+---
+
+## Privacy Requirements
+
+- [ ] Data minimisation: only the following fields are collected: [list fields]
+- [ ] Retention period defined: data retained for [X days/years], then [deleted/anonymised]
+- [ ] Legal basis documented: [Consent / Contract / Legitimate interest / Legal obligation]
+- [ ] User consent mechanism required: Yes / No — [reasoning]
+- [ ] Data subject rights supported: access, rectification, erasure, portability
+
+---
+
+## Data Classification
+
+| Data Element | Classification | Storage Location | Encryption Required | Access Control |
+|---|---|---|---|---|
+| [e.g. Password hash] | Confidential | Users DB | At rest + in transit | Auth users only |
+| [e.g. Email address] | PII | Users DB | At rest + in transit | Owner + admin |
+| [e.g. Session token] | Confidential | Redis | In transit | Owner only |
+
+---
+
+## Integration Security
+
+List any third-party services, APIs, or systems this feature calls:
+
+| Integration | Purpose | Auth method | Data shared | Risk notes |
+|---|---|---|---|---|
+| [Service name] | [Why] | [API key / OAuth / mTLS] | [What data] | [Any concerns] |
+
+---
+
+## Out of Scope
+
+Document any ASVS controls explicitly deferred and the justification:
+
+| ASVS Ref | Control | Reason deferred | Review date |
+|----------|---------|----------------|-------------|
+| | | | |
+
+---
+
+## Sign-off
+
+| Role | Name | Date | Status |
+|------|------|------|--------|
+| Product Manager | | | Approved / Pending |
+| AppSec Engineer | | | Approved / Pending |
+| Engineering Lead | | | Approved / Pending |

package/docs/templates/test-security-report.md

@@ -0,0 +1,143 @@
+# Test Security Report — [Feature / Release Name]
+
+**Feature / Release:** [Description]
+**Date:** [YYYY-MM-DD]
+**Author:** AppSec Engineer Agent + [Human reviewer]
+**Test types performed:** DAST / Penetration test / Fuzz testing / Security regression / [other]
+**Environment tested:** Staging / Pre-production / [other — never production without explicit approval]
+**Status:** Draft / Review / Approved
+
+---
+
+## Test Coverage Summary
+
+| Test Type | Tool / Method | Scope | Date Performed | Performed By |
+|-----------|---------------|-------|---------------|-------------|
+| DAST | [e.g. OWASP ZAP, Burp Suite] | [URLs / API endpoints in scope] | [YYYY-MM-DD] | [Agent / Person / External firm] |
+| Penetration test | [Manual / Automated] | [Scope] | | |
+| Fuzz testing | [e.g. Atheris, Jazzer, libFuzzer] | [Components] | | |
+| Security regression | [Test suite reference] | [Feature] | | |
+
+---
+
+## Findings Summary
+
+| Severity | Count | Resolved | Outstanding | Accepted Risk |
+|----------|-------|----------|-------------|---------------|
+| CRITICAL | | | | |
+| HIGH | | | | |
+| MEDIUM | | | | |
+| LOW | | | | |
+| INFO | | | | |
+
+**Gate status:**
+- CRITICAL outstanding: [N] — [Blocks release / None]
+- HIGH outstanding: [N] — [Blocks release or accepted risk documented]
+
+---
+
+## Findings
+
+---
+
+### [TF-001] — [Finding Title]
+
+**Source:** [DAST / Pentest / Fuzz / Regression]
+**Tool / Tester:** [Tool name or tester]
+**Endpoint / Component:** `[URL, method, or component name]`
+**Severity:** CRITICAL / HIGH / MEDIUM / LOW / INFO
+**Status:** Open / In Remediation / Resolved / Accepted Risk
+**CWE:** [CWE-XXX — Name]
+**OWASP Top 10:** [A0X:Year — Category]
+**CVSS Score:** [X.X — if calculated]
+
+**Description:**
+[What was found. Be specific — include the request/response, payload, or reproduction steps
+where it does not expose sensitive production details.]
+
+**Reproduction steps:**
+1. [Step 1]
+2. [Step 2]
+3. [Observed result]
+
+**Expected result:**
+[What should have happened instead]
+
+**Evidence:**
+[Screenshot reference, HTTP request/response excerpt, or log snippet — redact any real user
+data or credentials before including here]
+
+**Business impact:**
+[What could an attacker do with this? Quantify where possible — e.g. "allows unauthenticated
+read access to all user records" rather than "information disclosure".]
+
+**Remediation:**
+[Specific fix. Reference the relevant ASVS control and security requirement ID.]
+
+**ASVS Ref:** [V.X.Y.Z]
+**Security Requirement Ref:** [SR-XXX from security-requirements.md]
+
+**Owner:** [Developer / team]
+**Target resolution date:** [YYYY-MM-DD]
+**Resolved date:** [YYYY-MM-DD or —]
+**Verification:** [How the fix was verified — e.g. re-run ZAP scan, manual retest]
+
+---
+
+### [TF-002] — [Finding Title]
+
+*(Copy the block above for each finding)*
+
+---
+
+## OWASP Top 10 Coverage
+
+Document which OWASP Top 10 categories were tested and the result:
+
+| Category | Tested | Result | Notes |
+|----------|--------|--------|-------|
+| A01 Broken Access Control | ✅ Yes / ❌ No | Pass / Finding | |
+| A02 Cryptographic Failures | | | |
+| A03 Injection | | | |
+| A04 Insecure Design | | | |
+| A05 Security Misconfiguration | | | |
+| A06 Vulnerable and Outdated Components | | | |
+| A07 Identification and Authentication Failures | | | |
+| A08 Software and Data Integrity Failures | | | |
+| A09 Security Logging and Monitoring Failures | | | |
+| A10 Server-Side Request Forgery | | | |
+
+---
+
+## Security Regression Results
+
+| Test ID | Test Description | ASVS Ref | SR Ref | Result | Notes |
+|---------|-----------------|----------|--------|--------|-------|
+| | | | | Pass / Fail | |
+
+---
+
+## Remediation Tracking
+
+| ID | Severity | Description | Owner | Target Date | Status | PR / Commit |
+|----|----------|-------------|-------|-------------|--------|-------------|
+| TF-001 | | | | | Open / Resolved | |
+
+---
+
+## Outstanding Items
+
+List any findings that remain open at the time of sign-off, with accepted risk documentation:
+
+| ID | Severity | Reason not resolved | Risk Register Ref | Approver | Review Date |
+|----|----------|--------------------|--------------------|----------|-------------|
+| | | | | | |
+
+---
+
+## Sign-off
+
+| Role | Name | Date | Status |
+|------|------|------|--------|
+| AppSec Engineer | | | Approved / Pending |
+| Engineering Lead | | | Approved / Pending |