@zerothreatai/vulnerability-registry 5.0.0 → 7.0.0

package/dist-cjs/compliances/sans-top-25.js

@@ -0,0 +1,245 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SANS_TOP_25_COMPLIANCE = void 0;
+const compliance_codes_1 = require("../compliance-codes");
+const types_1 = require("../types");
+const helpers_js_1 = require("./helpers.js");
+const authIds = (0, helpers_js_1.idsByCategory)('authentication');
+const injectionIds = (0, helpers_js_1.idsByCategory)('injection');
+const xssIds = (0, helpers_js_1.idsByCategory)('xss');
+const ssrfIds = (0, helpers_js_1.idsByCategory)('ssrf');
+const disclosureIds = (0, helpers_js_1.idsByCategory)('information_disclosure');
+const accessControlIds = (0, helpers_js_1.idsByCodePrefix)(['BAC_', 'MASSASSIGN_']);
+const sqliIds = (0, helpers_js_1.idsByCodePrefix)(['SQLI_']);
+const cmdiIds = (0, helpers_js_1.idsByCodePrefix)(['CMDI_']);
+const sstiIds = (0, helpers_js_1.idsByCodePrefix)(['SSTI_']);
+const lfiIds = (0, helpers_js_1.idsByCodePrefix)(['LFI_']);
+const deserializationIds = (0, helpers_js_1.idsByCodePrefix)(['DESER_']);
+const inputValidationIds = (0, helpers_js_1.mergeIds)(injectionIds, xssIds, ssrfIds);
+exports.SANS_TOP_25_COMPLIANCE = {
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_79_XSS]: {
+        id: 181,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_79_XSS,
+        title: 'CWE-79 Cross-site Scripting',
+        description: 'Improper Neutralization of Input During Web Page Generation (Cross-site Scripting).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: xssIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_787_OOB_WRITE]: {
+        id: 182,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_787_OOB_WRITE,
+        title: 'CWE-787 Out-of-bounds Write',
+        description: 'Out-of-bounds Write.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_89_SQLI]: {
+        id: 183,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_89_SQLI,
+        title: 'CWE-89 SQL Injection',
+        description: 'Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: sqliIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_352_CSRF]: {
+        id: 184,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_352_CSRF,
+        title: 'CWE-352 Cross-Site Request Forgery',
+        description: 'Cross-Site Request Forgery (CSRF).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_22_PATH_TRAVERSAL]: {
+        id: 185,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_22_PATH_TRAVERSAL,
+        title: 'CWE-22 Path Traversal',
+        description: 'Improper Limitation of a Pathname to a Restricted Directory (Path Traversal).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: lfiIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_125_OOB_READ]: {
+        id: 186,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_125_OOB_READ,
+        title: 'CWE-125 Out-of-bounds Read',
+        description: 'Out-of-bounds Read.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_78_OS_COMMAND_INJECTION]: {
+        id: 187,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_78_OS_COMMAND_INJECTION,
+        title: 'CWE-78 OS Command Injection',
+        description: 'Improper Neutralization of Special Elements used in an OS Command (OS Command Injection).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: cmdiIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_416_USE_AFTER_FREE]: {
+        id: 188,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_416_USE_AFTER_FREE,
+        title: 'CWE-416 Use After Free',
+        description: 'Use After Free.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_862_MISSING_AUTHZ]: {
+        id: 189,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_862_MISSING_AUTHZ,
+        title: 'CWE-862 Missing Authorization',
+        description: 'Missing Authorization.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_434_UNRESTRICTED_UPLOAD]: {
+        id: 190,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_434_UNRESTRICTED_UPLOAD,
+        title: 'CWE-434 Unrestricted File Upload',
+        description: 'Unrestricted Upload of File with Dangerous Type.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_94_CODE_INJECTION]: {
+        id: 191,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_94_CODE_INJECTION,
+        title: 'CWE-94 Code Injection',
+        description: 'Improper Control of Generation of Code (Code Injection).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: sstiIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_20_INPUT_VALIDATION]: {
+        id: 192,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_20_INPUT_VALIDATION,
+        title: 'CWE-20 Improper Input Validation',
+        description: 'Improper Input Validation.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: inputValidationIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_77_COMMAND_INJECTION]: {
+        id: 193,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_77_COMMAND_INJECTION,
+        title: 'CWE-77 Command Injection',
+        description: 'Improper Neutralization of Special Elements used in a Command (Command Injection).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: cmdiIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_287_IMPROPER_AUTH]: {
+        id: 194,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_287_IMPROPER_AUTH,
+        title: 'CWE-287 Improper Authentication',
+        description: 'Improper Authentication.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: authIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_269_PRIVILEGE_MGMT]: {
+        id: 195,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_269_PRIVILEGE_MGMT,
+        title: 'CWE-269 Improper Privilege Management',
+        description: 'Improper Privilege Management.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_502_UNTRUSTED_DESER]: {
+        id: 196,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_502_UNTRUSTED_DESER,
+        title: 'CWE-502 Deserialization of Untrusted Data',
+        description: 'Deserialization of Untrusted Data.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: deserializationIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_200_INFO_EXPOSURE]: {
+        id: 197,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_200_INFO_EXPOSURE,
+        title: 'CWE-200 Exposure of Sensitive Information',
+        description: 'Exposure of Sensitive Information to an Unauthorized Actor.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: disclosureIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_863_INCORRECT_AUTHZ]: {
+        id: 198,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_863_INCORRECT_AUTHZ,
+        title: 'CWE-863 Incorrect Authorization',
+        description: 'Incorrect Authorization.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_918_SSRF]: {
+        id: 199,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_918_SSRF,
+        title: 'CWE-918 Server-Side Request Forgery',
+        description: 'Server-Side Request Forgery (SSRF).',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: ssrfIds,
+        isNotApplicable: false,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_119_MEMORY_BOUNDS]: {
+        id: 200,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_119_MEMORY_BOUNDS,
+        title: 'CWE-119 Memory Buffer Bounds',
+        description: 'Improper Restriction of Operations within the Bounds of a Memory Buffer.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_476_NULL_DEREF]: {
+        id: 201,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_476_NULL_DEREF,
+        title: 'CWE-476 NULL Pointer Dereference',
+        description: 'NULL Pointer Dereference.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_798_HARDCODED_CREDS]: {
+        id: 202,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_798_HARDCODED_CREDS,
+        title: 'CWE-798 Use of Hard-coded Credentials',
+        description: 'Use of Hard-coded Credentials.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_190_INTEGER_OVERFLOW]: {
+        id: 203,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_190_INTEGER_OVERFLOW,
+        title: 'CWE-190 Integer Overflow or Wraparound',
+        description: 'Integer Overflow or Wraparound.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION]: {
+        id: 204,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION,
+        title: 'CWE-400 Uncontrolled Resource Consumption',
+        description: 'Uncontrolled Resource Consumption.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_306_MISSING_AUTH]: {
+        id: 205,
+        code: compliance_codes_1.ComplianceCode.SANS_TOP_25_CWE_306_MISSING_AUTH,
+        title: 'CWE-306 Missing Authentication for Critical Function',
+        description: 'Missing Authentication for Critical Function.',
+        complianceStandard: types_1.ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: authIds,
+        isNotApplicable: true,
+    },
+};

package/dist-cjs/index.js

@@ -5,7 +5,7 @@
  * Exports all vulnerability codes, definitions, and lookup utilities
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SCANNER_REGISTRY = exports.CATEGORY_REGISTRY = exports.SENSITIVE_PATH_VULNERABILITIES = exports.CONFIG_VULNERABILITIES = exports.AUTH_VULNERABILITIES = exports.SSRF_VULNERABILITIES = exports.XSS_VULNERABILITIES = exports.INJECTION_VULNERABILITIES = exports.VulnerabilityCode = exports.VULNERABILITY_REGISTRY = void 0;
+exports.SCANNER_REGISTRY = exports.CATEGORY_REGISTRY = exports.SANS_TOP_25_COMPLIANCE = exports.PCI_DSS_COMPLIANCE = exports.GDPR_COMPLIANCE = exports.HIPAA_COMPLIANCE = exports.OWASP_COMPLIANCE = exports.SENSITIVE_PATH_VULNERABILITIES = exports.CONFIG_VULNERABILITIES = exports.AUTH_VULNERABILITIES = exports.SSRF_VULNERABILITIES = exports.XSS_VULNERABILITIES = exports.INJECTION_VULNERABILITIES = exports.VulnerabilityCode = exports.VULNERABILITY_REGISTRY = void 0;
 exports.getVulnerabilityDefinition = getVulnerabilityDefinition;
 exports.getVulnerabilitiesByScanner = getVulnerabilitiesByScanner;
 exports.getVulnerabilitiesByCategory = getVulnerabilitiesByCategory;
@@ -31,6 +31,12 @@ const category_js_1 = require("./category.js");
 Object.defineProperty(exports, "CATEGORY_REGISTRY", { enumerable: true, get: function () { return category_js_1.CATEGORY_REGISTRY; } });
 const scanner_js_1 = require("./scanner.js");
 Object.defineProperty(exports, "SCANNER_REGISTRY", { enumerable: true, get: function () { return scanner_js_1.SCANNER_REGISTRY; } });
+const index_js_1 = require("./compliances/index.js");
+Object.defineProperty(exports, "OWASP_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.OWASP_COMPLIANCE; } });
+Object.defineProperty(exports, "HIPAA_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.HIPAA_COMPLIANCE; } });
+Object.defineProperty(exports, "GDPR_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.GDPR_COMPLIANCE; } });
+Object.defineProperty(exports, "PCI_DSS_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.PCI_DSS_COMPLIANCE; } });
+Object.defineProperty(exports, "SANS_TOP_25_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.SANS_TOP_25_COMPLIANCE; } });
 /**
  * Complete vulnerability registry combining all categories
  */
@@ -108,6 +114,11 @@ exports.default = {
     getAllVulnerabilityCodes,
     getVulnerabilityCount,
     createFinding,
+    OWASP_COMPLIANCE: index_js_1.OWASP_COMPLIANCE,
+    HIPAA_COMPLIANCE: index_js_1.HIPAA_COMPLIANCE,
+    GDPR_COMPLIANCE: index_js_1.GDPR_COMPLIANCE,
+    PCI_DSS_COMPLIANCE: index_js_1.PCI_DSS_COMPLIANCE,
+    SANS_TOP_25_COMPLIANCE: index_js_1.SANS_TOP_25_COMPLIANCE,
     CATEGORY_REGISTRY: category_js_1.CATEGORY_REGISTRY,
     SCANNER_REGISTRY: scanner_js_1.SCANNER_REGISTRY,
 };

package/dist-cjs/types.js

@@ -5,3 +5,15 @@
  * Central type definitions for all vulnerability definitions.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.ComplianceCategory = void 0;
+/**
+ * Compliance standards
+ */
+var ComplianceCategory;
+(function (ComplianceCategory) {
+    ComplianceCategory["OWASP"] = "OWASP";
+    ComplianceCategory["HIPAA"] = "HIPAA";
+    ComplianceCategory["GDPR"] = "GDPR";
+    ComplianceCategory["PCIDSS"] = "PCIDSS";
+    ComplianceCategory["SANS_TOP_25"] = "SANS_TOP_25";
+})(ComplianceCategory || (exports.ComplianceCategory = ComplianceCategory = {}));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zerothreatai/vulnerability-registry",
-  "version": "5.0.0",
+  "version": "7.0.0",
   "description": "Centralized vulnerability definitions, CVSS scores, and references for ZeroThreat scanners",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -30,6 +30,11 @@
       "types": "./dist/error-codes.d.ts",
       "import": "./dist/error-codes.js",
       "require": "./dist-cjs/error-codes.js"
+    },
+    "./compliances": {
+      "types": "./dist/compliances/index.d.ts",
+      "import": "./dist/compliances/index.js",
+      "require": "./dist-cjs/compliances/index.js"
     }
   },
   "devDependencies": {

package/src/compliance-codes.ts

@@ -0,0 +1,216 @@
+export enum ComplianceCode {
+  // --- OWASP (ComplianceId: 1) ---
+  OWASP_A1_BROKEN_ACCESS_CONTROL = 'OWASP_A1_BROKEN_ACCESS_CONTROL',
+  OWASP_A2_CRYPTOGRAPHIC_FAILURES = 'OWASP_A2_CRYPTOGRAPHIC_FAILURES',
+  OWASP_A3_INJECTION_FLAWS = 'OWASP_A3_INJECTION_FLAWS',
+  OWASP_A4_INSECURE_DESIGN = 'OWASP_A4_INSECURE_DESIGN',
+  OWASP_A5_SECURITY_MISCONFIGURATION = 'OWASP_A5_SECURITY_MISCONFIGURATION',
+  OWASP_A6_VULNERABLE_OUTDATED_COMPONENTS = 'OWASP_A6_VULNERABLE_OUTDATED_COMPONENTS',
+  OWASP_A7_IDENTIFICATION_AUTH_FAILURE = 'OWASP_A7_IDENTIFICATION_AUTH_FAILURE',
+  OWASP_A8_SOFTWARE_DATA_INTEGRITY_FAILURE = 'OWASP_A8_SOFTWARE_DATA_INTEGRITY_FAILURE',
+  OWASP_A9_LOGGING_MONITORING_FAILURES = 'OWASP_A9_LOGGING_MONITORING_FAILURES',
+  OWASP_A10_SSRF = 'OWASP_A10_SSRF',
+
+  // --- HIPAA (ComplianceId: 2) ---
+  HIPAA_164_105_PROTECT_PRIVATE_HEALTH_INFO = 'HIPAA_164_105_PROTECT_PRIVATE_HEALTH_INFO',
+  HIPAA_164_306_A_1_KEEP_INFO_SAFE = 'HIPAA_164_306_A_1_KEEP_INFO_SAFE',
+  HIPAA_164_306_A_2_PROTECT_AGAINST_THREATS = 'HIPAA_164_306_A_2_PROTECT_AGAINST_THREATS',
+  HIPAA_164_306_A_3_STOP_UNAUTHORIZED_ACCESS = 'HIPAA_164_306_A_3_STOP_UNAUTHORIZED_ACCESS',
+  HIPAA_164_308_A_1_I_PREVENT_FIX_PROBLEMS = 'HIPAA_164_308_A_1_I_PREVENT_FIX_PROBLEMS',
+  HIPAA_164_308_A_1_II_B_LOWER_SECURITY_RISKS = 'HIPAA_164_308_A_1_II_B_LOWER_SECURITY_RISKS',
+  HIPAA_164_308_A_5_II_B_BLOCK_MALWARE = 'HIPAA_164_308_A_5_II_B_BLOCK_MALWARE',
+  HIPAA_164_308_A_5_II_C_WATCH_LOGINS = 'HIPAA_164_308_A_5_II_C_WATCH_LOGINS',
+  HIPAA_164_308_A_5_II_D_PROTECT_PASSWORDS = 'HIPAA_164_308_A_5_II_D_PROTECT_PASSWORDS',
+  HIPAA_164_308_A_7_I_PLAN_EMERGENCIES = 'HIPAA_164_308_A_7_I_PLAN_EMERGENCIES',
+  HIPAA_164_312_A_1_CONTROL_ACCESS = 'HIPAA_164_312_A_1_CONTROL_ACCESS',
+  HIPAA_164_312_C_1_PREVENT_CHANGES = 'HIPAA_164_312_C_1_PREVENT_CHANGES',
+  HIPAA_164_312_D_VERIFY_IDENTITY = 'HIPAA_164_312_D_VERIFY_IDENTITY',
+  HIPAA_164_312_E_1_PROTECT_ONLINE_INFO = 'HIPAA_164_312_E_1_PROTECT_ONLINE_INFO',
+  HIPAA_164_312_E_2_I_PREVENT_UNAUTHORIZED_CHANGES = 'HIPAA_164_312_E_2_I_PREVENT_UNAUTHORIZED_CHANGES',
+  HIPAA_164_312_E_2_II_USE_ENCRYPTION = 'HIPAA_164_312_E_2_II_USE_ENCRYPTION',
+  HIPAA_164_530_C_2_I_KEEP_INFO_SHARED = 'HIPAA_164_530_C_2_I_KEEP_INFO_SHARED',
+  
+  // --- GDPR (ComplianceId: 3) ---
+  GDPR_A_10_1_1_DOCUMENTED_OPERATING_PROCEDURES = 'GDPR_A_10_1_1_DOCUMENTED_OPERATING_PROCEDURES',
+  GDPR_A_10_1_2_CHANGE_MANAGEMENT = 'GDPR_A_10_1_2_CHANGE_MANAGEMENT',
+  GDPR_A_10_1_3_SEGREGATION_OF_DUTIES = 'GDPR_A_10_1_3_SEGREGATION_OF_DUTIES',
+  GDPR_A_10_1_4_SEPARATION_DEV_TEST_OPS = 'GDPR_A_10_1_4_SEPARATION_DEV_TEST_OPS',
+  GDPR_A_10_2_1_SERVICE_DELIVERY = 'GDPR_A_10_2_1_SERVICE_DELIVERY',
+  GDPR_A_10_2_2_MONITORING_THIRD_PARTY_SERVICES = 'GDPR_A_10_2_2_MONITORING_THIRD_PARTY_SERVICES',
+  GDPR_A_10_2_3_MANAGING_CHANGES_THIRD_PARTY = 'GDPR_A_10_2_3_MANAGING_CHANGES_THIRD_PARTY',
+  GDPR_A_10_3_1_CAPACITY_MANAGEMENT = 'GDPR_A_10_3_1_CAPACITY_MANAGEMENT',
+  GDPR_A_10_3_2_SYSTEM_ACCEPTANCE = 'GDPR_A_10_3_2_SYSTEM_ACCEPTANCE',
+  GDPR_A_10_4_1_CONTROLS_AGAINST_MALICIOUS_CODE = 'GDPR_A_10_4_1_CONTROLS_AGAINST_MALICIOUS_CODE',
+  GDPR_A_10_4_2_CONTROLS_AGAINST_MOBILE_CODE = 'GDPR_A_10_4_2_CONTROLS_AGAINST_MOBILE_CODE',
+  GDPR_A_10_5_1_INFORMATION_BACK_UP = 'GDPR_A_10_5_1_INFORMATION_BACK_UP',
+  GDPR_A_10_6_1_NETWORK_CONTROLS = 'GDPR_A_10_6_1_NETWORK_CONTROLS',
+  GDPR_A_10_6_2_SECURITY_OF_NETWORK_SERVICES = 'GDPR_A_10_6_2_SECURITY_OF_NETWORK_SERVICES',
+  GDPR_A_10_7_1_MANAGEMENT_REMOVABLE_MEDIA = 'GDPR_A_10_7_1_MANAGEMENT_REMOVABLE_MEDIA',
+  GDPR_A_10_7_2_DISPOSAL_OF_MEDIA = 'GDPR_A_10_7_2_DISPOSAL_OF_MEDIA',
+  GDPR_A_10_7_3_INFORMATION_HANDLING_PROCEDURES = 'GDPR_A_10_7_3_INFORMATION_HANDLING_PROCEDURES',
+  GDPR_A_10_7_4_SECURITY_SYSTEM_DOCUMENTATION = 'GDPR_A_10_7_4_SECURITY_SYSTEM_DOCUMENTATION',
+  GDPR_A_10_8_1_INFO_EXCHANGE_POLICIES = 'GDPR_A_10_8_1_INFO_EXCHANGE_POLICIES',
+  GDPR_A_10_8_2_EXCHANGE_AGREEMENTS = 'GDPR_A_10_8_2_EXCHANGE_AGREEMENTS',
+  GDPR_A_10_8_3_PHYSICAL_MEDIA_IN_TRANSIT = 'GDPR_A_10_8_3_PHYSICAL_MEDIA_IN_TRANSIT',
+  GDPR_A_10_8_4_ELECTRONIC_MESSAGING = 'GDPR_A_10_8_4_ELECTRONIC_MESSAGING',
+  GDPR_A_10_8_5_BUSINESS_INFORMATION_SYSTEMS = 'GDPR_A_10_8_5_BUSINESS_INFORMATION_SYSTEMS',
+  GDPR_A_10_9_1_ELECTRONIC_COMMERCE = 'GDPR_A_10_9_1_ELECTRONIC_COMMERCE',
+  GDPR_A_10_9_2_ONLINE_TRANSACTIONS = 'GDPR_A_10_9_2_ONLINE_TRANSACTIONS',
+  GDPR_A_10_9_3_PUBLICLY_AVAILABLE = 'GDPR_A_10_9_3_PUBLICLY_AVAILABLE',
+  GDPR_A_10_10_1_AUDIT_LOGGING = 'GDPR_A_10_10_1_AUDIT_LOGGING',
+  GDPR_A_10_10_2_MONITORING_SYSTEM_USE = 'GDPR_A_10_10_2_MONITORING_SYSTEM_USE',
+  GDPR_A_10_10_3_PROTECTION_OF_LOG_INFORMATION = 'GDPR_A_10_10_3_PROTECTION_OF_LOG_INFORMATION',
+  GDPR_A_10_10_4_ADMINISTRATOR_OPERATOR_LOGS = 'GDPR_A_10_10_4_ADMINISTRATOR_OPERATOR_LOGS',
+  GDPR_A_10_10_5_FAULT_LOGGING = 'GDPR_A_10_10_5_FAULT_LOGGING',
+  GDPR_A_10_10_6_CLOCK_SYNCHRONIZATION = 'GDPR_A_10_10_6_CLOCK_SYNCHRONIZATION',
+  GDPR_A_11_1_1_ACCESS_CONTROL_POLICY = 'GDPR_A_11_1_1_ACCESS_CONTROL_POLICY',
+  GDPR_A_11_2_1_USER_REGISTRATION = 'GDPR_A_11_2_1_USER_REGISTRATION',
+  GDPR_A_11_2_2_PRIVILEGE_MANAGEMENT = 'GDPR_A_11_2_2_PRIVILEGE_MANAGEMENT',
+  GDPR_A_11_2_3_USER_PASSWORD_MANAGEMENT = 'GDPR_A_11_2_3_USER_PASSWORD_MANAGEMENT',
+  GDPR_A_11_2_4_REVIEW_USER_ACCESS_RIGHTS = 'GDPR_A_11_2_4_REVIEW_USER_ACCESS_RIGHTS',
+  GDPR_A_11_3_1_PASSWORD_USE = 'GDPR_A_11_3_1_PASSWORD_USE',
+  GDPR_A_11_3_2_UNATTENDED_USER_EQUIPMENT = 'GDPR_A_11_3_2_UNATTENDED_USER_EQUIPMENT',
+  GDPR_A_11_3_3_CLEAR_DESK_SCREEN_POLICY = 'GDPR_A_11_3_3_CLEAR_DESK_SCREEN_POLICY',
+  GDPR_A_11_4_1_POLICY_USE_NETWORK_SERVICES = 'GDPR_A_11_4_1_POLICY_USE_NETWORK_SERVICES',
+  GDPR_A_11_4_2_USER_AUTH_EXTERNAL_CONNECTIONS = 'GDPR_A_11_4_2_USER_AUTH_EXTERNAL_CONNECTIONS',
+  GDPR_A_11_4_3_EQUIPMENT_IDENTIFICATION = 'GDPR_A_11_4_3_EQUIPMENT_IDENTIFICATION',
+  GDPR_A_11_4_4_REMOTE_DIAGNOSTIC_PORT_PROTECTION = 'GDPR_A_11_4_4_REMOTE_DIAGNOSTIC_PORT_PROTECTION',
+  GDPR_A_11_4_5_SEGREGATION_IN_NETWORKS = 'GDPR_A_11_4_5_SEGREGATION_IN_NETWORKS',
+  GDPR_A_11_4_6_NETWORK_CONNECTION_CONTROL = 'GDPR_A_11_4_6_NETWORK_CONNECTION_CONTROL',
+  GDPR_A_11_4_7_NETWORK_ROUTING_CONTROL = 'GDPR_A_11_4_7_NETWORK_ROUTING_CONTROL',
+  GDPR_A_11_5_1_SECURE_LOG_ON = 'GDPR_A_11_5_1_SECURE_LOG_ON',
+  GDPR_A_11_5_2_USER_ID_AND_AUTH = 'GDPR_A_11_5_2_USER_ID_AND_AUTH',
+  GDPR_A_11_5_3_PASSWORD_MANAGEMENT_SYSTEM = 'GDPR_A_11_5_3_PASSWORD_MANAGEMENT_SYSTEM',
+  GDPR_A_11_5_4_USE_OF_SYSTEM_UTILITIES = 'GDPR_A_11_5_4_USE_OF_SYSTEM_UTILITIES',
+  GDPR_A_11_5_5_SESSION_TIMEOUT = 'GDPR_A_11_5_5_SESSION_TIMEOUT',
+  GDPR_A_11_5_6_LIMITATION_CONNECTION_TIME = 'GDPR_A_11_5_6_LIMITATION_CONNECTION_TIME',
+  GDPR_A_11_6_1_INFORMATION_ACCESS_RESTRICTION = 'GDPR_A_11_6_1_INFORMATION_ACCESS_RESTRICTION',
+  GDPR_A_11_6_2_SENSITIVE_SYSTEM_ISOLATION = 'GDPR_A_11_6_2_SENSITIVE_SYSTEM_ISOLATION',
+  GDPR_A_11_7_1_MOBILE_COMPUTING = 'GDPR_A_11_7_1_MOBILE_COMPUTING',
+  GDPR_A_11_7_2_TELEWORKING = 'GDPR_A_11_7_2_TELEWORKING',
+  GDPR_A_12_1_1_SECURITY_REQUIREMENTS_ANALYSIS = 'GDPR_A_12_1_1_SECURITY_REQUIREMENTS_ANALYSIS',
+  GDPR_A_12_2_1_INPUT_DATA_VALIDATION = 'GDPR_A_12_2_1_INPUT_DATA_VALIDATION',
+  GDPR_A_12_2_2_CONTROL_INTERNAL_PROCESSING = 'GDPR_A_12_2_2_CONTROL_INTERNAL_PROCESSING',
+  GDPR_A_12_2_3_MESSAGE_INTEGRITY = 'GDPR_A_12_2_3_MESSAGE_INTEGRITY',
+  GDPR_A_12_2_4_OUTPUT_DATA_VALIDATION = 'GDPR_A_12_2_4_OUTPUT_DATA_VALIDATION',
+  GDPR_A_12_3_1_POLICY_CRYPTOGRAPHIC_CONTROLS = 'GDPR_A_12_3_1_POLICY_CRYPTOGRAPHIC_CONTROLS',
+  GDPR_A_12_3_2_KEY_MANAGEMENT = 'GDPR_A_12_3_2_KEY_MANAGEMENT',
+  GDPR_A_12_4_1_CONTROL_OPERATIONAL_SOFTWARE = 'GDPR_A_12_4_1_CONTROL_OPERATIONAL_SOFTWARE',
+  GDPR_A_12_4_2_PROTECTION_SYSTEM_TEST_DATA = 'GDPR_A_12_4_2_PROTECTION_SYSTEM_TEST_DATA',
+  GDPR_A_12_4_3_ACCESS_CONTROL_SOURCE_CODE = 'GDPR_A_12_4_3_ACCESS_CONTROL_SOURCE_CODE',
+  GDPR_A_12_5_1_CHANGE_CONTROL_PROCEDURES = 'GDPR_A_12_5_1_CHANGE_CONTROL_PROCEDURES',
+  GDPR_A_12_5_2_TECHNICAL_REVIEW_APPS = 'GDPR_A_12_5_2_TECHNICAL_REVIEW_APPS',
+  GDPR_A_12_5_3_RESTRICTIONS_CHANGES_SOFTWARE = 'GDPR_A_12_5_3_RESTRICTIONS_CHANGES_SOFTWARE',
+  GDPR_A_12_5_4_INFORMATION_LEAKAGE = 'GDPR_A_12_5_4_INFORMATION_LEAKAGE',
+  GDPR_A_12_5_5_OUTSOURCED_SOFTWARE_DEV = 'GDPR_A_12_5_5_OUTSOURCED_SOFTWARE_DEV',
+  GDPR_A_12_6_1_CONTROL_TECHNICAL_VULNERABILITIES = 'GDPR_A_12_6_1_CONTROL_TECHNICAL_VULNERABILITIES',
+
+  // --- PCI DSS (ComplianceId: 4) ---
+  PCI_REQ_1_INSTALL_FIREWALL = 'PCI_REQ_1_INSTALL_FIREWALL',
+  PCI_REQ_2_1_CHANGE_DEFAULT_PASSWORDS = 'PCI_REQ_2_1_CHANGE_DEFAULT_PASSWORDS',
+  PCI_REQ_2_2_1_ONE_PRIMARY_FUNCTION = 'PCI_REQ_2_2_1_ONE_PRIMARY_FUNCTION',
+  PCI_REQ_2_2_2_ENABLE_NECESSARY_SERVICES = 'PCI_REQ_2_2_2_ENABLE_NECESSARY_SERVICES',
+  PCI_REQ_2_2_3_SECURE_INSECURE_SERVICES = 'PCI_REQ_2_2_3_SECURE_INSECURE_SERVICES',
+  PCI_REQ_2_2_4_CONFIGURE_SYSTEM_PARAMETERS = 'PCI_REQ_2_2_4_CONFIGURE_SYSTEM_PARAMETERS',
+  PCI_REQ_2_2_5_STRENGTHEN_INSECURE_SERVICES = 'PCI_REQ_2_2_5_STRENGTHEN_INSECURE_SERVICES',
+  PCI_REQ_2_3_ENCRYPT_NON_CONSOLE_ADMIN = 'PCI_REQ_2_3_ENCRYPT_NON_CONSOLE_ADMIN',
+  PCI_REQ_A_1_1_ISOLATE_PROCESSES_CDE = 'PCI_REQ_A_1_1_ISOLATE_PROCESSES_CDE',
+  PCI_REQ_A_1_2_RESTRICT_ENTITY_ACCESS = 'PCI_REQ_A_1_2_RESTRICT_ENTITY_ACCESS',
+  PCI_REQ_A_1_3_ENABLE_UNIQUE_LOGGING = 'PCI_REQ_A_1_3_ENABLE_UNIQUE_LOGGING',
+  PCI_REQ_A_1_4_ENABLE_FORENSIC_INVESTIGATION = 'PCI_REQ_A_1_4_ENABLE_FORENSIC_INVESTIGATION',
+  PCI_REQ_3_1_MINIMIZE_DATA_STORAGE = 'PCI_REQ_3_1_MINIMIZE_DATA_STORAGE',
+  PCI_REQ_3_2_1_NO_FULL_TRACK_DATA = 'PCI_REQ_3_2_1_NO_FULL_TRACK_DATA',
+  PCI_REQ_3_2_2_NO_CVV_STORAGE = 'PCI_REQ_3_2_2_NO_CVV_STORAGE',
+  PCI_REQ_3_2_3_NO_PIN_STORAGE = 'PCI_REQ_3_2_3_NO_PIN_STORAGE',
+  PCI_REQ_3_3_MASK_PAN = 'PCI_REQ_3_3_MASK_PAN',
+  PCI_REQ_3_4_RENDER_PAN_UNREADABLE = 'PCI_REQ_3_4_RENDER_PAN_UNREADABLE',
+  PCI_REQ_3_5_PROTECT_ENCRYPTION_KEYS = 'PCI_REQ_3_5_PROTECT_ENCRYPTION_KEYS',
+  PCI_REQ_3_6_KEY_MANAGEMENT_PROCESSES = 'PCI_REQ_3_6_KEY_MANAGEMENT_PROCESSES',
+  PCI_REQ_3_7_DOCUMENT_POLICIES_STORED_DATA = 'PCI_REQ_3_7_DOCUMENT_POLICIES_STORED_DATA',
+  PCI_REQ_4_1_STRONG_CRYPTO_TRANSMISSION = 'PCI_REQ_4_1_STRONG_CRYPTO_TRANSMISSION',
+  PCI_REQ_4_2_NO_UNPROTECTED_PAN_MESSAGING = 'PCI_REQ_4_2_NO_UNPROTECTED_PAN_MESSAGING',
+  PCI_REQ_4_3_ENCRYPTION_POLICIES_TRANSMISSION = 'PCI_REQ_4_3_ENCRYPTION_POLICIES_TRANSMISSION',
+  PCI_REQ_5_PROTECT_MALWARE_ANTIVIRUS = 'PCI_REQ_5_PROTECT_MALWARE_ANTIVIRUS',
+  PCI_REQ_6_1_IDENTIFY_RANK_VULNERABILITIES = 'PCI_REQ_6_1_IDENTIFY_RANK_VULNERABILITIES',
+  PCI_REQ_6_2_INSTALL_SECURITY_PATCHES = 'PCI_REQ_6_2_INSTALL_SECURITY_PATCHES',
+  PCI_REQ_6_3_1_SECURE_SOFTWARE_DEVELOPMENT = 'PCI_REQ_6_3_1_SECURE_SOFTWARE_DEVELOPMENT',
+  PCI_REQ_6_3_2_CODE_REVIEW = 'PCI_REQ_6_3_2_CODE_REVIEW',
+  PCI_REQ_6_4_1_SEPARATE_DEV_PROD = 'PCI_REQ_6_4_1_SEPARATE_DEV_PROD',
+  PCI_REQ_6_4_2_SEPARATION_OF_DUTIES = 'PCI_REQ_6_4_2_SEPARATION_OF_DUTIES',
+  PCI_REQ_6_4_3_NO_LIVE_DATA_TESTING = 'PCI_REQ_6_4_3_NO_LIVE_DATA_TESTING',
+  PCI_REQ_6_4_4_REMOVE_TEST_DATA = 'PCI_REQ_6_4_4_REMOVE_TEST_DATA',
+  PCI_REQ_6_5_1_PREVENT_INJECTION = 'PCI_REQ_6_5_1_PREVENT_INJECTION',
+  PCI_REQ_6_5_2_PREVENT_BUFFER_OVERFLOW = 'PCI_REQ_6_5_2_PREVENT_BUFFER_OVERFLOW',
+  PCI_REQ_6_5_3_SECURE_CRYPTOGRAPHIC_STORAGE = 'PCI_REQ_6_5_3_SECURE_CRYPTOGRAPHIC_STORAGE',
+  PCI_REQ_6_5_4_SECURE_COMM_CHANNELS = 'PCI_REQ_6_5_4_SECURE_COMM_CHANNELS',
+  PCI_REQ_6_5_5_PROPER_ERROR_HANDLING = 'PCI_REQ_6_5_5_PROPER_ERROR_HANDLING',
+  PCI_REQ_6_5_6_ADDRESS_HIGH_RISK_VULNS = 'PCI_REQ_6_5_6_ADDRESS_HIGH_RISK_VULNS',
+  PCI_REQ_6_5_7_PREVENT_XSS = 'PCI_REQ_6_5_7_PREVENT_XSS',
+  PCI_REQ_6_5_8_PREVENT_ACCESS_CONTROL_VULNS = 'PCI_REQ_6_5_8_PREVENT_ACCESS_CONTROL_VULNS',
+  PCI_REQ_6_5_9_PREVENT_CSRF = 'PCI_REQ_6_5_9_PREVENT_CSRF',
+  PCI_REQ_6_5_10_PREVENT_BROKEN_AUTH = 'PCI_REQ_6_5_10_PREVENT_BROKEN_AUTH',
+  PCI_REQ_6_6_PROTECT_PUBLIC_WEB_APPS = 'PCI_REQ_6_6_PROTECT_PUBLIC_WEB_APPS',
+  PCI_REQ_6_7_DOCUMENT_POLICIES_SECURE_SYSTEMS = 'PCI_REQ_6_7_DOCUMENT_POLICIES_SECURE_SYSTEMS',
+  PCI_REQ_7_RESTRICT_ACCESS_NEED_TO_KNOW = 'PCI_REQ_7_RESTRICT_ACCESS_NEED_TO_KNOW',
+  PCI_REQ_7_1_1_DEFINE_ROLE_BASED_ACCESS = 'PCI_REQ_7_1_1_DEFINE_ROLE_BASED_ACCESS',
+  PCI_REQ_7_1_2_RESTRICT_PRIVILEGED_USER = 'PCI_REQ_7_1_2_RESTRICT_PRIVILEGED_USER',
+  PCI_REQ_7_1_3_ASSIGN_ACCESS_BY_ROLE = 'PCI_REQ_7_1_3_ASSIGN_ACCESS_BY_ROLE',
+  PCI_REQ_7_1_4_DOCUMENTED_APPROVAL = 'PCI_REQ_7_1_4_DOCUMENTED_APPROVAL',
+  PCI_REQ_7_2_ACCESS_CONTROL_NEED_TO_KNOW = 'PCI_REQ_7_2_ACCESS_CONTROL_NEED_TO_KNOW',
+  PCI_REQ_7_3_DOCUMENT_POLICIES_CARDHOLDER_DATA = 'PCI_REQ_7_3_DOCUMENT_POLICIES_CARDHOLDER_DATA',
+  PCI_REQ_8_1_1_ASSIGN_UNIQUE_IDS = 'PCI_REQ_8_1_1_ASSIGN_UNIQUE_IDS',
+  PCI_REQ_8_1_2_CONTROL_USER_ID_MANAGEMENT = 'PCI_REQ_8_1_2_CONTROL_USER_ID_MANAGEMENT',
+  PCI_REQ_8_1_3_REVOKE_TERMINATED_USERS = 'PCI_REQ_8_1_3_REVOKE_TERMINATED_USERS',
+  PCI_REQ_8_1_4_REMOVE_INACTIVE_ACCOUNTS = 'PCI_REQ_8_1_4_REMOVE_INACTIVE_ACCOUNTS',
+  PCI_REQ_8_1_5_MANAGE_THIRD_PARTY_IDS = 'PCI_REQ_8_1_5_MANAGE_THIRD_PARTY_IDS',
+  PCI_REQ_8_1_6_LIMIT_REPEATED_ACCESS_ATTEMPTS = 'PCI_REQ_8_1_6_LIMIT_REPEATED_ACCESS_ATTEMPTS',
+  PCI_REQ_8_1_7_ACCOUNT_LOCKOUT_DURATION = 'PCI_REQ_8_1_7_ACCOUNT_LOCKOUT_DURATION',
+  PCI_REQ_8_1_8_SESSION_RE_AUTH_IDLE = 'PCI_REQ_8_1_8_SESSION_RE_AUTH_IDLE',
+  PCI_REQ_8_2_1_ENCRYPT_CREDENTIALS = 'PCI_REQ_8_2_1_ENCRYPT_CREDENTIALS',
+  PCI_REQ_8_2_2_VERIFY_IDENTITY_BEFORE_CHANGE = 'PCI_REQ_8_2_2_VERIFY_IDENTITY_BEFORE_CHANGE',
+  PCI_REQ_8_2_3_PASSWORD_STRENGTH = 'PCI_REQ_8_2_3_PASSWORD_STRENGTH',
+  PCI_REQ_8_2_4_PASSWORD_EXPIRATION = 'PCI_REQ_8_2_4_PASSWORD_EXPIRATION',
+  PCI_REQ_8_2_5_PASSWORD_REUSE = 'PCI_REQ_8_2_5_PASSWORD_REUSE',
+  PCI_REQ_8_2_6_UNIQUE_INITIAL_PASSWORD = 'PCI_REQ_8_2_6_UNIQUE_INITIAL_PASSWORD',
+  PCI_REQ_8_3_SECURE_REMOTE_ACCESS_MFA = 'PCI_REQ_8_3_SECURE_REMOTE_ACCESS_MFA',
+  PCI_REQ_8_4_DOCUMENT_AUTH_POLICIES = 'PCI_REQ_8_4_DOCUMENT_AUTH_POLICIES',
+  PCI_REQ_8_5_1_UNIQUE_CREDS_SERVICE_PROVIDERS = 'PCI_REQ_8_5_1_UNIQUE_CREDS_SERVICE_PROVIDERS',
+  PCI_REQ_8_6_AUTH_MECHANISMS_INDIVIDUAL = 'PCI_REQ_8_6_AUTH_MECHANISMS_INDIVIDUAL',
+  PCI_REQ_8_7_RESTRICT_DB_ACCESS = 'PCI_REQ_8_7_RESTRICT_DB_ACCESS',
+  PCI_REQ_8_8_DOCUMENT_AUTH_POLICIES_COMM = 'PCI_REQ_8_8_DOCUMENT_AUTH_POLICIES_COMM',
+  PCI_REQ_9_RESTRICT_PHYSICAL_ACCESS = 'PCI_REQ_9_RESTRICT_PHYSICAL_ACCESS',
+  PCI_REQ_10_4_SYNCHRONIZE_CLOCKS = 'PCI_REQ_10_4_SYNCHRONIZE_CLOCKS',
+  PCI_REQ_10_5_SECURE_AUDIT_TRAILS = 'PCI_REQ_10_5_SECURE_AUDIT_TRAILS',
+  PCI_REQ_10_6_REVIEW_LOGS = 'PCI_REQ_10_6_REVIEW_LOGS',
+  PCI_REQ_10_7_RETAIN_AUDIT_TRAIL = 'PCI_REQ_10_7_RETAIN_AUDIT_TRAIL',
+  PCI_REQ_10_9_DOCUMENT_ACCESS_MONITORING = 'PCI_REQ_10_9_DOCUMENT_ACCESS_MONITORING',
+  PCI_REQ_11_REGULAR_TESTING = 'PCI_REQ_11_REGULAR_TESTING',
+  PCI_REQ_12_INFO_SEC_POLICY = 'PCI_REQ_12_INFO_SEC_POLICY',
+
+  // --- SANS/CWE Top 25 (ComplianceId: 5) ---
+  SANS_TOP_25_CWE_79_XSS = 'SANS_TOP_25_CWE_79_XSS',
+  SANS_TOP_25_CWE_787_OOB_WRITE = 'SANS_TOP_25_CWE_787_OOB_WRITE',
+  SANS_TOP_25_CWE_89_SQLI = 'SANS_TOP_25_CWE_89_SQLI',
+  SANS_TOP_25_CWE_352_CSRF = 'SANS_TOP_25_CWE_352_CSRF',
+  SANS_TOP_25_CWE_22_PATH_TRAVERSAL = 'SANS_TOP_25_CWE_22_PATH_TRAVERSAL',
+  SANS_TOP_25_CWE_125_OOB_READ = 'SANS_TOP_25_CWE_125_OOB_READ',
+  SANS_TOP_25_CWE_78_OS_COMMAND_INJECTION = 'SANS_TOP_25_CWE_78_OS_COMMAND_INJECTION',
+  SANS_TOP_25_CWE_416_USE_AFTER_FREE = 'SANS_TOP_25_CWE_416_USE_AFTER_FREE',
+  SANS_TOP_25_CWE_862_MISSING_AUTHZ = 'SANS_TOP_25_CWE_862_MISSING_AUTHZ',
+  SANS_TOP_25_CWE_434_UNRESTRICTED_UPLOAD = 'SANS_TOP_25_CWE_434_UNRESTRICTED_UPLOAD',
+  SANS_TOP_25_CWE_94_CODE_INJECTION = 'SANS_TOP_25_CWE_94_CODE_INJECTION',
+  SANS_TOP_25_CWE_20_INPUT_VALIDATION = 'SANS_TOP_25_CWE_20_INPUT_VALIDATION',
+  SANS_TOP_25_CWE_77_COMMAND_INJECTION = 'SANS_TOP_25_CWE_77_COMMAND_INJECTION',
+  SANS_TOP_25_CWE_287_IMPROPER_AUTH = 'SANS_TOP_25_CWE_287_IMPROPER_AUTH',
+  SANS_TOP_25_CWE_269_PRIVILEGE_MGMT = 'SANS_TOP_25_CWE_269_PRIVILEGE_MGMT',
+  SANS_TOP_25_CWE_502_UNTRUSTED_DESER = 'SANS_TOP_25_CWE_502_UNTRUSTED_DESER',
+  SANS_TOP_25_CWE_200_INFO_EXPOSURE = 'SANS_TOP_25_CWE_200_INFO_EXPOSURE',
+  SANS_TOP_25_CWE_863_INCORRECT_AUTHZ = 'SANS_TOP_25_CWE_863_INCORRECT_AUTHZ',
+  SANS_TOP_25_CWE_918_SSRF = 'SANS_TOP_25_CWE_918_SSRF',
+  SANS_TOP_25_CWE_119_MEMORY_BOUNDS = 'SANS_TOP_25_CWE_119_MEMORY_BOUNDS',
+  SANS_TOP_25_CWE_476_NULL_DEREF = 'SANS_TOP_25_CWE_476_NULL_DEREF',
+  SANS_TOP_25_CWE_798_HARDCODED_CREDS = 'SANS_TOP_25_CWE_798_HARDCODED_CREDS',
+  SANS_TOP_25_CWE_190_INTEGER_OVERFLOW = 'SANS_TOP_25_CWE_190_INTEGER_OVERFLOW',
+  SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION = 'SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION',
+  SANS_TOP_25_CWE_306_MISSING_AUTH = 'SANS_TOP_25_CWE_306_MISSING_AUTH',
+}

package/src/compliances/README.md

@@ -0,0 +1,82 @@
+# Compliance Mappings
+
+This directory maps compliance rules to vulnerability IDs from the registry.
+Mappings now reference the current registry IDs (see `agents/shared/vulnerability-registry/src/id-registry.json`),
+and are derived from code groups in `helpers.ts` to keep them consistent as IDs change.
+
+## Mapping Approach (Why These Vulnerabilities Apply)
+
+The groups below are used to connect compliance rules to relevant vulnerabilities:
+
+- Authentication: all `authentication` category items (JWT, BAC, mass assignment).
+- Injection: all `injection` category items (SQLi, CMDi, SSTI, XXE, LFI, XPath).
+- XSS: all `xss` category items.
+- SSRF: all `ssrf` category items.
+- Configuration: all `configuration` category items (headers, cookies, dirbrowse, deserialization).
+- Information disclosure: all `information_disclosure` category items (sensitive paths).
+- Access control: `BAC_*` + `MASSASSIGN_*` + `DIRBROWSE_*`.
+- Cryptographic / transport: `JWT_*` + HSTS-related header issues + cookie Secure issues.
+- Session/Auth cookies: `COOKIE_*`.
+- Deserialization: `DESER_*`.
+
+These align each rule to the most relevant technical findings the scanners can produce.
+
+## Rule Mapping Summary
+
+### OWASP Top 10
+- A1 Broken Access Control: access control issues + directory browsing.
+- A2 Cryptographic Failures: JWT crypto issues + HSTS + Secure-cookie issues.
+- A3 Injection Flaws: injection + XSS.
+- A4 Insecure Design: no direct scanner evidence (empty).
+- A5 Security Misconfiguration: configuration + information disclosure.
+- A6 Vulnerable/Outdated Components: no direct scanner evidence (empty).
+- A7 Identification/Auth Failures: authentication + cookie issues.
+- A8 Software/Data Integrity Failures: deserialization issues.
+- A9 Logging/Monitoring Failures: no direct scanner evidence (empty).
+- A10 SSRF: SSRF category.
+
+### SANS/CWE Top 25 (Latest)
+- Uses the latest CWE Top 25 (2024) titles with CWE IDs.
+- Each entry maps to the closest registry category or code prefix (e.g., CWE-79 → XSS, CWE-89 → SQLi, CWE-918 → SSRF).
+- Items that are not detectable by current scanners are left empty and marked not applicable.
+
+### HIPAA
+- 164.105 Protect PHI: all app-sec findings (auth, injection, XSS, SSRF, config, disclosure).
+- 164.306(a)(1)/(a)(2): all app-sec findings.
+- 164.306(a)(3): access control + disclosure.
+- 164.308(a)(1)(i)/(ii)(B): all app-sec findings.
+- 164.308(a)(5)(ii)(D): authentication + cookie issues.
+- 164.312(a)(1): access control + disclosure.
+- 164.312(d): authentication + cookie issues.
+- 164.312(e)(1)/(e)(2)(ii): cryptographic / transport issues.
+- 164.312(e)(2)(i): injection + XSS (integrity).
+- 164.530(c)(2)(i): disclosure + access control.
+- Other HIPAA rules without direct scanner evidence remain empty.
+
+### GDPR (ISO 27001-style controls)
+- System acceptance, technical vulnerability control: all app-sec findings.
+- Input/output validation: injection + XSS (+ SSRF for input validation).
+- Cryptographic controls / key management: cryptographic / transport issues.
+- Access restriction / password controls: authentication + cookie issues.
+- Information leakage: configuration + information disclosure.
+- Process-only controls (change management, segregation of duties, etc.) remain empty.
+
+### PCI DSS
+- 2.x configuration controls: configuration + disclosure (misconfiguration).
+- 2.3, 4.1, 6.5.3, 6.5.4: cryptographic / transport issues.
+- 3.1: information disclosure.
+- 6.1, 6.2, 6.5.6: all app-sec findings.
+- 6.5.1: injection + XSS.
+- 6.5.7: XSS.
+- 6.5.8, 7, 8.1.1: access control + authentication + cookie issues.
+- Rules without direct scanner evidence remain empty.
+
+## ID Changes (Removed/Added)
+
+- Removed: legacy ID lists that referenced non-existent IDs (e.g., 1–203, 1000+, 2000+),
+  which no longer exist in the current registry.
+- Added: current registry IDs in the 100–699 range, derived from the groups above.
+  Exact IDs are computed in the compliance files using `helpers.ts`.
+
+If a new vulnerability is added to the registry, it will be included automatically
+in any compliance mapping that references its category or code prefix.