guardrail-compliance 1.0.0

package/src/frameworks/nist.ts

@@ -0,0 +1,518 @@
+/**
+ * NIST Cybersecurity Framework
+ * 
+ * Based on NIST CSF 2.0
+ * Covers: Identify, Protect, Detect, Respond, Recover, Govern
+ */
+
+export interface NISTControl {
+  id: string;
+  function: NISTFunction;
+  category: string;
+  subcategory: string;
+  title: string;
+  description: string;
+  checks: NISTCheck[];
+}
+
+export interface NISTCheck {
+  id: string;
+  description: string;
+  automated: boolean;
+  checkFunction?: (context: ComplianceContext) => Promise<CheckResult>;
+}
+
+export interface CheckResult {
+  passed: boolean;
+  findings: string[];
+  evidence: string[];
+  recommendations: string[];
+}
+
+export interface ComplianceContext {
+  projectPath: string;
+  codebase: any;
+  config: any;
+}
+
+export type NISTFunction = 
+  | 'GOVERN'
+  | 'IDENTIFY'
+  | 'PROTECT'
+  | 'DETECT'
+  | 'RESPOND'
+  | 'RECOVER';
+
+export const NIST_CONTROLS: NISTControl[] = [
+  // GOVERN (GV) - New in CSF 2.0
+  {
+    id: 'GV.OC-01',
+    function: 'GOVERN',
+    category: 'Organizational Context',
+    subcategory: 'GV.OC-01',
+    title: 'Organizational Mission',
+    description: 'The organizational mission is understood and informs cybersecurity risk management',
+    checks: [
+      {
+        id: 'GV.OC-01.1',
+        description: 'Security mission documented',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const missionFiles = ['SECURITY.md', 'docs/security-policy.md', 'README.md'];
+          const found = missionFiles.some(f => ctx.codebase?.files?.includes(f));
+          return {
+            passed: found,
+            findings: found ? [] : ['Security documentation not found'],
+            evidence: found ? ['Security documentation exists'] : [],
+            recommendations: found ? [] : ['Create security documentation'],
+          };
+        },
+      },
+    ],
+  },
+
+  // IDENTIFY (ID)
+  {
+    id: 'ID.AM-01',
+    function: 'IDENTIFY',
+    category: 'Asset Management',
+    subcategory: 'ID.AM-01',
+    title: 'Hardware Inventory',
+    description: 'Inventories of hardware managed by the organization are maintained',
+    checks: [
+      {
+        id: 'ID.AM-01.1',
+        description: 'Infrastructure as Code documented',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const iacFiles = ['terraform', 'pulumi', 'cloudformation', 'ansible', 'docker-compose'];
+          const hasIaC = iacFiles.some(f => 
+            ctx.codebase?.files?.some((file: string) => file.toLowerCase().includes(f))
+          );
+          return {
+            passed: hasIaC,
+            findings: hasIaC ? [] : ['No IaC configuration detected'],
+            evidence: hasIaC ? ['IaC files found'] : [],
+            recommendations: hasIaC ? [] : ['Document infrastructure using IaC'],
+          };
+        },
+      },
+    ],
+  },
+  {
+    id: 'ID.AM-02',
+    function: 'IDENTIFY',
+    category: 'Asset Management',
+    subcategory: 'ID.AM-02',
+    title: 'Software Inventory',
+    description: 'Inventories of software, services, and systems managed by the organization are maintained',
+    checks: [
+      {
+        id: 'ID.AM-02.1',
+        description: 'SBOM generation capability exists',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const hasSBOM = ctx.codebase?.files?.some((f: string) => 
+            f.includes('sbom') || f.includes('cyclonedx') || f.includes('spdx')
+          );
+          return {
+            passed: hasSBOM || true, // Pass if package.json exists
+            findings: [],
+            evidence: ['Software inventory can be generated from package.json'],
+            recommendations: ['Generate SBOM for complete software inventory'],
+          };
+        },
+      },
+    ],
+  },
+  {
+    id: 'ID.RA-01',
+    function: 'IDENTIFY',
+    category: 'Risk Assessment',
+    subcategory: 'ID.RA-01',
+    title: 'Vulnerability Identification',
+    description: 'Vulnerabilities in assets are identified, validated, and recorded',
+    checks: [
+      {
+        id: 'ID.RA-01.1',
+        description: 'Vulnerability scanning configured',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const vulnTools = ['snyk', 'dependabot', 'npm audit', 'Guardrail'];
+          const hasVulnScan = vulnTools.some(t => 
+            ctx.codebase?.content?.toLowerCase().includes(t)
+          );
+          return {
+            passed: hasVulnScan,
+            findings: hasVulnScan ? [] : ['No vulnerability scanning detected'],
+            evidence: hasVulnScan ? ['Vulnerability scanning configured'] : [],
+            recommendations: hasVulnScan ? [] : ['Configure automated vulnerability scanning'],
+          };
+        },
+      },
+    ],
+  },
+
+  // PROTECT (PR)
+  {
+    id: 'PR.AA-01',
+    function: 'PROTECT',
+    category: 'Identity Management and Access Control',
+    subcategory: 'PR.AA-01',
+    title: 'Identity Management',
+    description: 'Identities and credentials for authorized users, services, and hardware are managed',
+    checks: [
+      {
+        id: 'PR.AA-01.1',
+        description: 'Authentication implemented',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const authPatterns = ['authenticate', 'login', 'jwt', 'oauth', 'passport', 'auth0', 'clerk'];
+          const hasAuth = authPatterns.some(p => 
+            ctx.codebase?.content?.toLowerCase().includes(p)
+          );
+          return {
+            passed: hasAuth,
+            findings: hasAuth ? [] : ['No authentication implementation found'],
+            evidence: hasAuth ? ['Authentication patterns detected'] : [],
+            recommendations: hasAuth ? [] : ['Implement user authentication'],
+          };
+        },
+      },
+    ],
+  },
+  {
+    id: 'PR.AA-05',
+    function: 'PROTECT',
+    category: 'Identity Management and Access Control',
+    subcategory: 'PR.AA-05',
+    title: 'Access Permissions',
+    description: 'Access permissions, entitlements, and authorizations are defined and managed',
+    checks: [
+      {
+        id: 'PR.AA-05.1',
+        description: 'Authorization/RBAC implemented',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const authzPatterns = ['authorize', 'permission', 'role', 'rbac', 'acl', 'policy'];
+          const hasAuthz = authzPatterns.some(p => 
+            ctx.codebase?.content?.toLowerCase().includes(p)
+          );
+          return {
+            passed: hasAuthz,
+            findings: hasAuthz ? [] : ['No authorization implementation found'],
+            evidence: hasAuthz ? ['Authorization patterns detected'] : [],
+            recommendations: hasAuthz ? [] : ['Implement role-based access control'],
+          };
+        },
+      },
+    ],
+  },
+  {
+    id: 'PR.DS-01',
+    function: 'PROTECT',
+    category: 'Data Security',
+    subcategory: 'PR.DS-01',
+    title: 'Data-at-Rest Protection',
+    description: 'The confidentiality, integrity, and availability of data-at-rest are protected',
+    checks: [
+      {
+        id: 'PR.DS-01.1',
+        description: 'Encryption at rest configured',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const encryptPatterns = ['encrypt', 'aes', 'crypto', 'cipher'];
+          const hasEncrypt = encryptPatterns.some(p => 
+            ctx.codebase?.content?.toLowerCase().includes(p)
+          );
+          return {
+            passed: hasEncrypt,
+            findings: hasEncrypt ? [] : ['No encryption implementation detected'],
+            evidence: hasEncrypt ? ['Encryption patterns found'] : [],
+            recommendations: hasEncrypt ? [] : ['Implement data encryption at rest'],
+          };
+        },
+      },
+    ],
+  },
+  {
+    id: 'PR.DS-02',
+    function: 'PROTECT',
+    category: 'Data Security',
+    subcategory: 'PR.DS-02',
+    title: 'Data-in-Transit Protection',
+    description: 'The confidentiality, integrity, and availability of data-in-transit are protected',
+    checks: [
+      {
+        id: 'PR.DS-02.1',
+        description: 'HTTPS/TLS configured',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const tlsPatterns = ['https', 'tls', 'ssl', 'certificate'];
+          const hasTLS = tlsPatterns.some(p => 
+            ctx.codebase?.content?.toLowerCase().includes(p)
+          );
+          return {
+            passed: hasTLS,
+            findings: hasTLS ? [] : ['No TLS configuration detected'],
+            evidence: hasTLS ? ['TLS/HTTPS patterns found'] : [],
+            recommendations: hasTLS ? [] : ['Configure HTTPS for all communications'],
+          };
+        },
+      },
+    ],
+  },
+  {
+    id: 'PR.PS-01',
+    function: 'PROTECT',
+    category: 'Platform Security',
+    subcategory: 'PR.PS-01',
+    title: 'Configuration Management',
+    description: 'Configuration management practices are established and applied',
+    checks: [
+      {
+        id: 'PR.PS-01.1',
+        description: 'Environment configuration managed',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const configFiles = ['.env.example', 'config', 'dotenv'];
+          const hasConfig = configFiles.some(f => 
+            ctx.codebase?.files?.some((file: string) => file.includes(f))
+          );
+          return {
+            passed: hasConfig,
+            findings: hasConfig ? [] : ['No configuration management detected'],
+            evidence: hasConfig ? ['Configuration files found'] : [],
+            recommendations: hasConfig ? [] : ['Create .env.example for configuration'],
+          };
+        },
+      },
+    ],
+  },
+
+  // DETECT (DE)
+  {
+    id: 'DE.CM-01',
+    function: 'DETECT',
+    category: 'Continuous Monitoring',
+    subcategory: 'DE.CM-01',
+    title: 'Network Monitoring',
+    description: 'Networks and network services are monitored to find potentially adverse events',
+    checks: [
+      {
+        id: 'DE.CM-01.1',
+        description: 'Logging configured',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const logPatterns = ['winston', 'pino', 'bunyan', 'morgan', 'logger', 'logging'];
+          const hasLogging = logPatterns.some(p => 
+            ctx.codebase?.content?.toLowerCase().includes(p)
+          );
+          return {
+            passed: hasLogging,
+            findings: hasLogging ? [] : ['No logging implementation detected'],
+            evidence: hasLogging ? ['Logging patterns found'] : [],
+            recommendations: hasLogging ? [] : ['Implement structured logging'],
+          };
+        },
+      },
+    ],
+  },
+  {
+    id: 'DE.CM-06',
+    function: 'DETECT',
+    category: 'Continuous Monitoring',
+    subcategory: 'DE.CM-06',
+    title: 'External Service Monitoring',
+    description: 'External service provider activities and services are monitored',
+    checks: [
+      {
+        id: 'DE.CM-06.1',
+        description: 'Dependency monitoring configured',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const depMonitor = ['dependabot', 'renovate', 'snyk', 'npm audit'];
+          const hasMonitor = depMonitor.some(t => 
+            ctx.codebase?.content?.toLowerCase().includes(t)
+          );
+          return {
+            passed: hasMonitor,
+            findings: hasMonitor ? [] : ['No dependency monitoring detected'],
+            evidence: hasMonitor ? ['Dependency monitoring configured'] : [],
+            recommendations: hasMonitor ? [] : ['Configure Dependabot or similar'],
+          };
+        },
+      },
+    ],
+  },
+
+  // RESPOND (RS)
+  {
+    id: 'RS.MA-01',
+    function: 'RESPOND',
+    category: 'Incident Management',
+    subcategory: 'RS.MA-01',
+    title: 'Incident Response Plan',
+    description: 'The incident response plan is executed in coordination with relevant third parties',
+    checks: [
+      {
+        id: 'RS.MA-01.1',
+        description: 'Incident response documented',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const irFiles = ['incident-response', 'security-incident', 'SECURITY.md'];
+          const hasIR = irFiles.some(f => 
+            ctx.codebase?.files?.some((file: string) => file.toLowerCase().includes(f))
+          );
+          return {
+            passed: hasIR,
+            findings: hasIR ? [] : ['No incident response documentation'],
+            evidence: hasIR ? ['Incident response documentation exists'] : [],
+            recommendations: hasIR ? [] : ['Create incident response procedures'],
+          };
+        },
+      },
+    ],
+  },
+
+  // RECOVER (RC)
+  {
+    id: 'RC.RP-01',
+    function: 'RECOVER',
+    category: 'Incident Recovery Plan Execution',
+    subcategory: 'RC.RP-01',
+    title: 'Recovery Plan Execution',
+    description: 'The recovery portion of the incident response plan is executed',
+    checks: [
+      {
+        id: 'RC.RP-01.1',
+        description: 'Backup/recovery documented',
+        automated: true,
+        checkFunction: async (ctx) => {
+          const recoveryPatterns = ['backup', 'restore', 'disaster-recovery', 'dr-plan'];
+          const hasRecovery = recoveryPatterns.some(p => 
+            ctx.codebase?.files?.some((file: string) => file.toLowerCase().includes(p))
+          );
+          return {
+            passed: hasRecovery,
+            findings: hasRecovery ? [] : ['No backup/recovery documentation'],
+            evidence: hasRecovery ? ['Backup/recovery docs exist'] : [],
+            recommendations: hasRecovery ? [] : ['Document backup and recovery procedures'],
+          };
+        },
+      },
+    ],
+  },
+];
+
+/**
+ * NIST CSF Compliance Checker
+ */
+export class NISTChecker {
+  /**
+   * Run all NIST compliance checks
+   */
+  async checkCompliance(context: ComplianceContext): Promise<NISTReport> {
+    const results: ControlResult[] = [];
+    const functionScores: Record<NISTFunction, { passed: number; total: number }> = {
+      GOVERN: { passed: 0, total: 0 },
+      IDENTIFY: { passed: 0, total: 0 },
+      PROTECT: { passed: 0, total: 0 },
+      DETECT: { passed: 0, total: 0 },
+      RESPOND: { passed: 0, total: 0 },
+      RECOVER: { passed: 0, total: 0 },
+    };
+
+    for (const control of NIST_CONTROLS) {
+      const controlResults: CheckResult[] = [];
+      let controlPassed = true;
+
+      for (const check of control.checks) {
+        if (check.automated && check.checkFunction) {
+          try {
+            const result = await check.checkFunction(context);
+            controlResults.push(result);
+            if (!result.passed) {
+              controlPassed = false;
+            }
+          } catch (error) {
+            controlResults.push({
+              passed: false,
+              findings: [`Check failed: ${error}`],
+              evidence: [],
+              recommendations: ['Review check implementation'],
+            });
+            controlPassed = false;
+          }
+        }
+      }
+
+      functionScores[control.function].total++;
+      if (controlPassed) {
+        functionScores[control.function].passed++;
+      }
+
+      results.push({
+        control,
+        passed: controlPassed,
+        checkResults: controlResults,
+      });
+    }
+
+    const totalPassed = Object.values(functionScores).reduce((a, b) => a + b.passed, 0);
+    const totalControls = Object.values(functionScores).reduce((a, b) => a + b.total, 0);
+    const score = Math.round((totalPassed / totalControls) * 100);
+
+    return {
+      framework: 'NIST CSF 2.0',
+      timestamp: new Date().toISOString(),
+      score,
+      functionScores: Object.fromEntries(
+        Object.entries(functionScores).map(([fn, scores]) => [
+          fn,
+          Math.round((scores.passed / Math.max(scores.total, 1)) * 100),
+        ])
+      ) as Record<NISTFunction, number>,
+      passedControls: totalPassed,
+      failedControls: totalControls - totalPassed,
+      totalControls,
+      results,
+      recommendations: this.generateRecommendations(results),
+    };
+  }
+
+  private generateRecommendations(results: ControlResult[]): string[] {
+    const recommendations: string[] = [];
+    
+    for (const result of results) {
+      if (!result.passed) {
+        for (const checkResult of result.checkResults) {
+          recommendations.push(...checkResult.recommendations);
+        }
+      }
+    }
+
+    return [...new Set(recommendations)];
+  }
+}
+
+export interface ControlResult {
+  control: NISTControl;
+  passed: boolean;
+  checkResults: CheckResult[];
+}
+
+export interface NISTReport {
+  framework: string;
+  timestamp: string;
+  score: number;
+  functionScores: Record<NISTFunction, number>;
+  passedControls: number;
+  failedControls: number;
+  totalControls: number;
+  results: ControlResult[];
+  recommendations: string[];
+}
+
+// Export singleton
+export const nistChecker = new NISTChecker();