guardrail-compliance 1.0.0

package/dist/frameworks/hipaa.js

@@ -0,0 +1,183 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HIPAA_FRAMEWORK = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+/**
+ * HIPAA (Health Insurance Portability and Accountability Act) Compliance Framework
+ */
+exports.HIPAA_FRAMEWORK = {
+    id: 'hipaa',
+    name: 'HIPAA Security Rule',
+    version: '2013',
+    description: 'Health Insurance Portability and Accountability Act',
+    controls: [
+        {
+            id: 'HIPAA-AC',
+            title: 'Access Controls',
+            description: 'Implement technical policies and procedures for electronic information systems',
+            category: 'access-control',
+            requirements: [
+                'Unique user identification',
+                'Emergency access procedure',
+                'Automatic logoff',
+                'Encryption and decryption'
+            ],
+            automatedChecks: [
+                {
+                    id: 'HIPAA-AC-001',
+                    description: 'Verify user authentication',
+                    check: async (projectPath) => {
+                        const packageJsonPath = (0, path_1.join)(projectPath, 'package.json');
+                        if ((0, fs_1.existsSync)(packageJsonPath)) {
+                            const packageJson = JSON.parse((0, fs_1.readFileSync)(packageJsonPath, 'utf-8'));
+                            const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
+                            const authLibs = ['passport', 'jsonwebtoken', 'jose', 'auth0', 'okta'];
+                            const hasAuth = Object.keys(deps).some(dep => authLibs.some(lib => dep.toLowerCase().includes(lib)));
+                            if (hasAuth) {
+                                return {
+                                    passed: true,
+                                    details: 'Authentication library found',
+                                    evidence: { libraries: Object.keys(deps).filter(d => authLibs.some(l => d.toLowerCase().includes(l))) }
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No authentication library found'
+                        };
+                    }
+                },
+                {
+                    id: 'HIPAA-AC-002',
+                    description: 'Check for session management',
+                    check: async (projectPath) => {
+                        const packageJsonPath = (0, path_1.join)(projectPath, 'package.json');
+                        if ((0, fs_1.existsSync)(packageJsonPath)) {
+                            const packageJson = JSON.parse((0, fs_1.readFileSync)(packageJsonPath, 'utf-8'));
+                            const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
+                            const sessionLibs = ['express-session', 'cookie-session', 'session'];
+                            const hasSession = Object.keys(deps).some(dep => sessionLibs.some(lib => dep.toLowerCase().includes(lib)));
+                            if (hasSession) {
+                                return {
+                                    passed: true,
+                                    details: 'Session management library found'
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No session management library found'
+                        };
+                    }
+                }
+            ]
+        },
+        {
+            id: 'HIPAA-AUDIT',
+            title: 'Audit Controls',
+            description: 'Implement hardware, software, and/or procedural mechanisms that record and examine activity',
+            category: 'logging',
+            requirements: [
+                'Record and examine system activity',
+                'Log access to ePHI',
+                'Maintain audit logs'
+            ],
+            automatedChecks: [
+                {
+                    id: 'HIPAA-AUDIT-001',
+                    description: 'Verify audit logging',
+                    check: async (projectPath) => {
+                        const packageJsonPath = (0, path_1.join)(projectPath, 'package.json');
+                        if ((0, fs_1.existsSync)(packageJsonPath)) {
+                            const packageJson = JSON.parse((0, fs_1.readFileSync)(packageJsonPath, 'utf-8'));
+                            const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
+                            const loggingLibs = ['winston', 'pino', 'bunyan', 'morgan'];
+                            const hasLogging = Object.keys(deps).some(dep => loggingLibs.some(lib => dep.toLowerCase().includes(lib)));
+                            if (hasLogging) {
+                                return {
+                                    passed: true,
+                                    details: 'Audit logging library found'
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No audit logging library found'
+                        };
+                    }
+                }
+            ]
+        },
+        {
+            id: 'HIPAA-INTEGRITY',
+            title: 'Integrity Controls',
+            description: 'Implement policies and procedures to protect ePHI from improper alteration or destruction',
+            category: 'data-protection',
+            requirements: [
+                'Mechanism to authenticate ePHI',
+                'Protect against unauthorized modification'
+            ],
+            automatedChecks: [
+                {
+                    id: 'HIPAA-INTEGRITY-001',
+                    description: 'Check for data validation',
+                    check: async (projectPath) => {
+                        const packageJsonPath = (0, path_1.join)(projectPath, 'package.json');
+                        if ((0, fs_1.existsSync)(packageJsonPath)) {
+                            const packageJson = JSON.parse((0, fs_1.readFileSync)(packageJsonPath, 'utf-8'));
+                            const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
+                            const validationLibs = ['zod', 'joi', 'yup', 'validator', 'ajv'];
+                            const hasValidation = Object.keys(deps).some(dep => validationLibs.some(lib => dep.toLowerCase().includes(lib)));
+                            if (hasValidation) {
+                                return {
+                                    passed: true,
+                                    details: 'Data validation library found'
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No data validation library found'
+                        };
+                    }
+                }
+            ]
+        },
+        {
+            id: 'HIPAA-TRANSMISSION',
+            title: 'Transmission Security',
+            description: 'Implement technical security measures to guard against unauthorized access to ePHI',
+            category: 'security',
+            requirements: [
+                'Integrity controls',
+                'Encryption during transmission'
+            ],
+            automatedChecks: [
+                {
+                    id: 'HIPAA-TRANSMISSION-001',
+                    description: 'Verify encryption in transit',
+                    check: async (projectPath) => {
+                        const packageJsonPath = (0, path_1.join)(projectPath, 'package.json');
+                        if ((0, fs_1.existsSync)(packageJsonPath)) {
+                            const packageJson = JSON.parse((0, fs_1.readFileSync)(packageJsonPath, 'utf-8'));
+                            const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
+                            const tlsLibs = ['https', 'tls', 'helmet'];
+                            const hasTLS = Object.keys(deps).some(dep => tlsLibs.some(lib => dep.toLowerCase().includes(lib)));
+                            if (hasTLS) {
+                                return {
+                                    passed: true,
+                                    details: 'TLS/HTTPS library found'
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No TLS/HTTPS library found'
+                        };
+                    }
+                }
+            ]
+        }
+    ]
+};

package/dist/frameworks/index.d.ts

@@ -0,0 +1,8 @@
+export * from './engine';
+export * from './soc2';
+export * from './gdpr';
+export * from './hipaa';
+export * from './pci';
+export { ISO27001Checker, iso27001Checker, ISO27001_CONTROLS, type ISO27001Control, type ISO27001Check, type ISO27001Category, type ISO27001Report, } from './iso27001';
+export { NISTChecker, nistChecker, NIST_CONTROLS, type NISTControl, type NISTCheck, type NISTFunction, type NISTReport, } from './nist';
+//# sourceMappingURL=index.d.ts.map

package/dist/frameworks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/frameworks/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,QAAQ,CAAC;AACvB,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,OAAO,CAAC;AACtB,OAAO,EACL,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,gBAAgB,EACrB,KAAK,cAAc,GACpB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,aAAa,EACb,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,UAAU,GAChB,MAAM,QAAQ,CAAC"}

package/dist/frameworks/index.js

@@ -0,0 +1,30 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NIST_CONTROLS = exports.nistChecker = exports.NISTChecker = exports.ISO27001_CONTROLS = exports.iso27001Checker = exports.ISO27001Checker = void 0;
+__exportStar(require("./engine"), exports);
+__exportStar(require("./soc2"), exports);
+__exportStar(require("./gdpr"), exports);
+__exportStar(require("./hipaa"), exports);
+__exportStar(require("./pci"), exports);
+var iso27001_1 = require("./iso27001");
+Object.defineProperty(exports, "ISO27001Checker", { enumerable: true, get: function () { return iso27001_1.ISO27001Checker; } });
+Object.defineProperty(exports, "iso27001Checker", { enumerable: true, get: function () { return iso27001_1.iso27001Checker; } });
+Object.defineProperty(exports, "ISO27001_CONTROLS", { enumerable: true, get: function () { return iso27001_1.ISO27001_CONTROLS; } });
+var nist_1 = require("./nist");
+Object.defineProperty(exports, "NISTChecker", { enumerable: true, get: function () { return nist_1.NISTChecker; } });
+Object.defineProperty(exports, "nistChecker", { enumerable: true, get: function () { return nist_1.nistChecker; } });
+Object.defineProperty(exports, "NIST_CONTROLS", { enumerable: true, get: function () { return nist_1.NIST_CONTROLS; } });

package/dist/frameworks/iso27001.d.ts

@@ -0,0 +1,63 @@
+/**
+ * ISO 27001 Compliance Framework
+ *
+ * Information Security Management System (ISMS) controls
+ * Based on ISO/IEC 27001:2022
+ */
+export interface ISO27001Control {
+    id: string;
+    clause: string;
+    title: string;
+    description: string;
+    category: ISO27001Category;
+    checks: ISO27001Check[];
+}
+export interface ISO27001Check {
+    id: string;
+    description: string;
+    automated: boolean;
+    checkFunction?: (context: ComplianceContext) => Promise<CheckResult>;
+}
+export interface CheckResult {
+    passed: boolean;
+    findings: string[];
+    evidence: string[];
+    recommendations: string[];
+}
+export interface ComplianceContext {
+    projectPath: string;
+    codebase: any;
+    config: any;
+}
+export type ISO27001Category = 'organizational' | 'people' | 'physical' | 'technological';
+export declare const ISO27001_CONTROLS: ISO27001Control[];
+/**
+ * ISO 27001 Compliance Checker
+ */
+export declare class ISO27001Checker {
+    /**
+     * Run all ISO 27001 compliance checks
+     */
+    checkCompliance(context: ComplianceContext): Promise<ISO27001Report>;
+    /**
+     * Generate prioritized recommendations
+     */
+    private generateRecommendations;
+}
+export interface ControlResult {
+    control: ISO27001Control;
+    passed: boolean;
+    checkResults: CheckResult[];
+}
+export interface ISO27001Report {
+    framework: string;
+    timestamp: string;
+    score: number;
+    passedControls: number;
+    failedControls: number;
+    totalControls: number;
+    results: ControlResult[];
+    recommendations: string[];
+}
+export declare const iso27001Checker: ISO27001Checker;
+//# sourceMappingURL=iso27001.d.ts.map

package/dist/frameworks/iso27001.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"iso27001.d.ts","sourceRoot":"","sources":["../../src/frameworks/iso27001.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,MAAM,EAAE,aAAa,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;CACtE;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,GAAG,CAAC;IACd,MAAM,EAAE,GAAG,CAAC;CACb;AAED,MAAM,MAAM,gBAAgB,GACxB,gBAAgB,GAChB,QAAQ,GACR,UAAU,GACV,eAAe,CAAC;AAEpB,eAAO,MAAM,iBAAiB,EAAE,eAAe,EA8P9C,CAAC;AAEF;;GAEG;AACH,qBAAa,eAAe;IAC1B;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,cAAc,CAAC;IAwD1E;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAahC;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,eAAe,CAAC;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,EAAE,WAAW,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAGD,eAAO,MAAM,eAAe,iBAAwB,CAAC"}

package/dist/frameworks/iso27001.js

@@ -0,0 +1,331 @@
+"use strict";
+/**
+ * ISO 27001 Compliance Framework
+ *
+ * Information Security Management System (ISMS) controls
+ * Based on ISO/IEC 27001:2022
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.iso27001Checker = exports.ISO27001Checker = exports.ISO27001_CONTROLS = void 0;
+exports.ISO27001_CONTROLS = [
+    // A.5 - Organizational Controls
+    {
+        id: 'A.5.1',
+        clause: 'A.5.1',
+        title: 'Policies for information security',
+        description: 'Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.',
+        category: 'organizational',
+        checks: [
+            {
+                id: 'A.5.1.1',
+                description: 'Security policy documentation exists',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const policyFiles = ['SECURITY.md', 'security-policy.md', 'docs/security.md'];
+                    const found = policyFiles.some(f => ctx.codebase?.files?.includes(f));
+                    return {
+                        passed: found,
+                        findings: found ? [] : ['No security policy document found'],
+                        evidence: found ? ['Security policy document exists'] : [],
+                        recommendations: found ? [] : ['Create a SECURITY.md file documenting security policies'],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.5.7',
+        clause: 'A.5.7',
+        title: 'Threat intelligence',
+        description: 'Information relating to information security threats shall be collected and analysed to produce threat intelligence.',
+        category: 'organizational',
+        checks: [
+            {
+                id: 'A.5.7.1',
+                description: 'Vulnerability scanning is configured',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const hasVulnScanning = ctx.config?.security?.vulnerabilityScanning !== false;
+                    return {
+                        passed: hasVulnScanning,
+                        findings: hasVulnScanning ? [] : ['Vulnerability scanning not configured'],
+                        evidence: hasVulnScanning ? ['Vulnerability scanning enabled'] : [],
+                        recommendations: hasVulnScanning ? [] : ['Enable automated vulnerability scanning'],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.5.15',
+        clause: 'A.5.15',
+        title: 'Access control',
+        description: 'Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.',
+        category: 'organizational',
+        checks: [
+            {
+                id: 'A.5.15.1',
+                description: 'Authentication is implemented',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const authPatterns = ['authenticate', 'login', 'jwt', 'session', 'oauth'];
+                    const hasAuth = authPatterns.some(p => ctx.codebase?.content?.toLowerCase().includes(p));
+                    return {
+                        passed: hasAuth,
+                        findings: hasAuth ? [] : ['No authentication implementation detected'],
+                        evidence: hasAuth ? ['Authentication patterns found in codebase'] : [],
+                        recommendations: hasAuth ? [] : ['Implement user authentication'],
+                    };
+                },
+            },
+        ],
+    },
+    // A.8 - Technological Controls
+    {
+        id: 'A.8.3',
+        clause: 'A.8.3',
+        title: 'Information access restriction',
+        description: 'Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.',
+        category: 'technological',
+        checks: [
+            {
+                id: 'A.8.3.1',
+                description: 'Role-based access control implemented',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const rbacPatterns = ['role', 'permission', 'authorize', 'acl', 'rbac'];
+                    const hasRBAC = rbacPatterns.some(p => ctx.codebase?.content?.toLowerCase().includes(p));
+                    return {
+                        passed: hasRBAC,
+                        findings: hasRBAC ? [] : ['No RBAC implementation detected'],
+                        evidence: hasRBAC ? ['RBAC patterns found'] : [],
+                        recommendations: hasRBAC ? [] : ['Implement role-based access control'],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.8.4',
+        clause: 'A.8.4',
+        title: 'Access to source code',
+        description: 'Read and write access to source code, development tools and software libraries shall be appropriately managed.',
+        category: 'technological',
+        checks: [
+            {
+                id: 'A.8.4.1',
+                description: 'Branch protection is configured',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const hasBranchProtection = ctx.config?.git?.branchProtection !== false;
+                    return {
+                        passed: hasBranchProtection,
+                        findings: hasBranchProtection ? [] : ['Branch protection not configured'],
+                        evidence: hasBranchProtection ? ['Branch protection enabled'] : [],
+                        recommendations: hasBranchProtection ? [] : ['Enable branch protection on main branches'],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.8.9',
+        clause: 'A.8.9',
+        title: 'Configuration management',
+        description: 'Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.',
+        category: 'technological',
+        checks: [
+            {
+                id: 'A.8.9.1',
+                description: 'Environment configuration is documented',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const configFiles = ['.env.example', 'config/README.md', 'docs/configuration.md'];
+                    const hasConfig = configFiles.some(f => ctx.codebase?.files?.includes(f));
+                    return {
+                        passed: hasConfig,
+                        findings: hasConfig ? [] : ['Configuration documentation missing'],
+                        evidence: hasConfig ? ['Configuration documentation exists'] : [],
+                        recommendations: hasConfig ? [] : ['Create .env.example and configuration documentation'],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.8.12',
+        clause: 'A.8.12',
+        title: 'Data leakage prevention',
+        description: 'Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.',
+        category: 'technological',
+        checks: [
+            {
+                id: 'A.8.12.1',
+                description: 'No hardcoded secrets in codebase',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const secretPatterns = [
+                        /api[_-]?key\s*=\s*['"][^'"]+['"]/i,
+                        /password\s*=\s*['"][^'"]+['"]/i,
+                        /secret\s*=\s*['"][^'"]+['"]/i,
+                    ];
+                    const hasSecrets = secretPatterns.some(p => p.test(ctx.codebase?.content || ''));
+                    return {
+                        passed: !hasSecrets,
+                        findings: hasSecrets ? ['Potential hardcoded secrets detected'] : [],
+                        evidence: !hasSecrets ? ['No hardcoded secrets found'] : [],
+                        recommendations: hasSecrets ? ['Remove hardcoded secrets and use environment variables'] : [],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.8.24',
+        clause: 'A.8.24',
+        title: 'Use of cryptography',
+        description: 'Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.',
+        category: 'technological',
+        checks: [
+            {
+                id: 'A.8.24.1',
+                description: 'Secure cryptographic algorithms used',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const weakAlgorithms = ['md5', 'sha1', 'des', 'rc4'];
+                    const usesWeak = weakAlgorithms.some(a => ctx.codebase?.content?.toLowerCase().includes(a));
+                    return {
+                        passed: !usesWeak,
+                        findings: usesWeak ? ['Weak cryptographic algorithms detected'] : [],
+                        evidence: !usesWeak ? ['No weak algorithms found'] : [],
+                        recommendations: usesWeak ? ['Replace MD5/SHA1 with SHA-256 or stronger'] : [],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.8.25',
+        clause: 'A.8.25',
+        title: 'Secure development life cycle',
+        description: 'Rules for the secure development of software and systems shall be established and applied.',
+        category: 'technological',
+        checks: [
+            {
+                id: 'A.8.25.1',
+                description: 'Security testing is automated',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const ciFiles = ['.github/workflows', '.gitlab-ci.yml', 'Jenkinsfile'];
+                    const hasCI = ciFiles.some(f => ctx.codebase?.files?.includes(f));
+                    return {
+                        passed: hasCI,
+                        findings: hasCI ? [] : ['No CI/CD security testing detected'],
+                        evidence: hasCI ? ['CI/CD configuration found'] : [],
+                        recommendations: hasCI ? [] : ['Set up automated security testing in CI/CD'],
+                    };
+                },
+            },
+        ],
+    },
+    {
+        id: 'A.8.28',
+        clause: 'A.8.28',
+        title: 'Secure coding',
+        description: 'Secure coding principles shall be applied to software development.',
+        category: 'technological',
+        checks: [
+            {
+                id: 'A.8.28.1',
+                description: 'Input validation is implemented',
+                automated: true,
+                checkFunction: async (ctx) => {
+                    const validationPatterns = ['validate', 'sanitize', 'escape', 'zod', 'yup', 'joi'];
+                    const hasValidation = validationPatterns.some(p => ctx.codebase?.content?.toLowerCase().includes(p));
+                    return {
+                        passed: hasValidation,
+                        findings: hasValidation ? [] : ['No input validation detected'],
+                        evidence: hasValidation ? ['Input validation patterns found'] : [],
+                        recommendations: hasValidation ? [] : ['Implement input validation using Zod, Yup, or similar'],
+                    };
+                },
+            },
+        ],
+    },
+];
+/**
+ * ISO 27001 Compliance Checker
+ */
+class ISO27001Checker {
+    /**
+     * Run all ISO 27001 compliance checks
+     */
+    async checkCompliance(context) {
+        const results = [];
+        let passedControls = 0;
+        let failedControls = 0;
+        for (const control of exports.ISO27001_CONTROLS) {
+            const controlResults = [];
+            let controlPassed = true;
+            for (const check of control.checks) {
+                if (check.automated && check.checkFunction) {
+                    try {
+                        const result = await check.checkFunction(context);
+                        controlResults.push(result);
+                        if (!result.passed) {
+                            controlPassed = false;
+                        }
+                    }
+                    catch (error) {
+                        controlResults.push({
+                            passed: false,
+                            findings: [`Check failed: ${error}`],
+                            evidence: [],
+                            recommendations: ['Review and fix the check implementation'],
+                        });
+                        controlPassed = false;
+                    }
+                }
+            }
+            if (controlPassed) {
+                passedControls++;
+            }
+            else {
+                failedControls++;
+            }
+            results.push({
+                control,
+                passed: controlPassed,
+                checkResults: controlResults,
+            });
+        }
+        const score = Math.round((passedControls / (passedControls + failedControls)) * 100);
+        return {
+            framework: 'ISO 27001:2022',
+            timestamp: new Date().toISOString(),
+            score,
+            passedControls,
+            failedControls,
+            totalControls: passedControls + failedControls,
+            results,
+            recommendations: this.generateRecommendations(results),
+        };
+    }
+    /**
+     * Generate prioritized recommendations
+     */
+    generateRecommendations(results) {
+        const recommendations = [];
+        for (const result of results) {
+            if (!result.passed) {
+                for (const checkResult of result.checkResults) {
+                    recommendations.push(...checkResult.recommendations);
+                }
+            }
+        }
+        return [...new Set(recommendations)];
+    }
+}
+exports.ISO27001Checker = ISO27001Checker;
+// Export singleton
+exports.iso27001Checker = new ISO27001Checker();