security-mcp 1.1.4 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +341 -1018
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/defaults/security-policy.json +2 -2
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +582 -15
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +955 -2
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +256 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +202 -9
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +316 -130
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +131 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +161 -24
- package/dist/mcp/orchestration.js +377 -89
- package/dist/mcp/server.js +460 -69
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +37 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +56 -3
- package/dist/tests/run.js +124 -1
- package/package.json +9 -9
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +118 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +377 -0
- package/skills/ai-llm-redteam/SKILL.md +113 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
- package/skills/android-penetration-tester/SKILL.md +464 -46
- package/skills/anti-replay-tester/SKILL.md +115 -0
- package/skills/appsec-code-auditor/SKILL.md +94 -0
- package/skills/artifact-integrity-analyst/SKILL.md +450 -0
- package/skills/attack-navigator/SKILL.md +476 -8
- package/skills/auth-session-hacker/SKILL.md +111 -0
- package/skills/aws-penetration-tester/SKILL.md +510 -0
- package/skills/azure-penetration-tester/SKILL.md +542 -3
- package/skills/binary-auth-validator/SKILL.md +120 -0
- package/skills/bot-detection-specialist/SKILL.md +118 -0
- package/skills/business-logic-attacker/SKILL.md +240 -0
- package/skills/capec-code-mapper/SKILL.md +93 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
- package/skills/ciso-orchestrator/SKILL.md +465 -43
- package/skills/cloud-infra-specialist/SKILL.md +127 -0
- package/skills/compliance-gap-analyst/SKILL.md +431 -0
- package/skills/compliance-grc/SKILL.md +94 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +111 -0
- package/skills/crypto-pki-specialist/SKILL.md +96 -0
- package/skills/csa-ccm-mapper/SKILL.md +93 -0
- package/skills/csf2-governance-mapper/SKILL.md +93 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +118 -0
- package/skills/dependency-confusion-attacker/SKILL.md +424 -0
- package/skills/device-integrity-aggregator/SKILL.md +117 -0
- package/skills/dos-resilience-tester/SKILL.md +106 -0
- package/skills/dread-scorer/SKILL.md +93 -0
- package/skills/egress-policy-enforcer/SKILL.md +108 -0
- package/skills/evidence-collector/SKILL.md +107 -0
- package/skills/file-upload-attacker/SKILL.md +118 -0
- package/skills/gcp-penetration-tester/SKILL.md +510 -2
- package/skills/git-history-secret-scanner/SKILL.md +115 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
- package/skills/incident-responder/SKILL.md +120 -0
- package/skills/injection-specialist/SKILL.md +111 -0
- package/skills/ios-security-auditor/SKILL.md +291 -0
- package/skills/json-ambiguity-tester/SKILL.md +145 -0
- package/skills/k8s-container-escaper/SKILL.md +406 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
- package/skills/kill-switch-engineer/SKILL.md +111 -0
- package/skills/linddun-privacy-analyst/SKILL.md +111 -0
- package/skills/logic-race-fuzzer/SKILL.md +452 -0
- package/skills/mobile-api-network-attacker/SKILL.md +430 -0
- package/skills/mobile-binary-hardener/SKILL.md +111 -0
- package/skills/mobile-security-specialist/SKILL.md +94 -0
- package/skills/mobile-webview-auditor/SKILL.md +105 -0
- package/skills/model-extraction-attacker/SKILL.md +228 -0
- package/skills/multipart-abuse-tester/SKILL.md +93 -0
- package/skills/oauth-pkce-specialist/SKILL.md +113 -0
- package/skills/parser-exhaustion-tester/SKILL.md +151 -0
- package/skills/pentest-infra/SKILL.md +107 -0
- package/skills/pentest-social/SKILL.md +210 -0
- package/skills/pentest-team/SKILL.md +96 -0
- package/skills/pentest-web-api/SKILL.md +107 -0
- package/skills/privacy-flow-analyst/SKILL.md +243 -0
- package/skills/prompt-injection-specialist/SKILL.md +403 -0
- package/skills/quantum-migration-planner/SKILL.md +105 -0
- package/skills/rag-poisoning-specialist/SKILL.md +367 -0
- package/skills/registry-mirror-enforcer/SKILL.md +93 -0
- package/skills/rotation-validation-agent/SKILL.md +121 -0
- package/skills/samm-assessor/SKILL.md +94 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
- package/skills/senior-security-engineer/SKILL.md +178 -0
- package/skills/serialization-memory-attacker/SKILL.md +341 -0
- package/skills/session-timeout-tester/SKILL.md +170 -0
- package/skills/slsa-level3-enforcer/SKILL.md +121 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
- package/skills/ssrf-detection-validator/SKILL.md +117 -0
- package/skills/step-up-auth-enforcer/SKILL.md +93 -0
- package/skills/stride-pasta-analyst/SKILL.md +429 -0
- package/skills/supply-chain-devsecops/SKILL.md +107 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
- package/skills/threat-modeler/SKILL.md +94 -0
- package/skills/tls-certificate-auditor/SKILL.md +582 -18
- package/skills/token-reuse-detector/SKILL.md +104 -0
- package/skills/trike-risk-modeler/SKILL.md +93 -0
- package/skills/unicode-homograph-tester/SKILL.md +93 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
- package/skills/webhook-security-tester/SKILL.md +111 -0
- package/skills/zero-trust-architect/SKILL.md +118 -0
|
@@ -20,6 +20,25 @@
|
|
|
20
20
|
{ "id": "ai_rag_authz", "description": "RAG retrieval enforces authorization — documents filtered by user permissions", "critical": true },
|
|
21
21
|
{ "id": "ai_no_pii_in_prompts", "description": "No PII, credentials, or secrets in prompt templates", "critical": true },
|
|
22
22
|
{ "id": "ai_fallback_handling", "description": "Model failures handled gracefully — no sensitive error details exposed to users", "critical": false },
|
|
23
|
-
{ "id": "ai_owasp_llm_top10", "description": "OWASP LLM Top 10 controls reviewed and addressed for this AI surface", "critical": true }
|
|
23
|
+
{ "id": "ai_owasp_llm_top10", "description": "OWASP LLM Top 10 controls reviewed and addressed for this AI surface", "critical": true },
|
|
24
|
+
{ "id": "ai_context_session_isolation", "description": "Per-user session context is strictly isolated — no cross-user context bleed in multi-tenant deployments; conversation history scoped to authenticated user ID", "critical": true },
|
|
25
|
+
{ "id": "ai_adversarial_probe_multi_turn", "description": "Multi-turn adversarial probing complete: role-play escapes, many-shot jailbreaks, encoded payloads (base64, l33tspeak), goal hijacking across conversation resets — all documented with pass/fail", "critical": true },
|
|
26
|
+
{ "id": "ai_tool_sandboxing", "description": "AI agent tool execution sandboxed — filesystem, network, and shell access granted only via explicit allowlist; no ambient authority; each tool call requires declared capability", "critical": true },
|
|
27
|
+
{ "id": "ai_model_supply_chain", "description": "AI model provider and version verified — model hash or digest pinned in configuration; shadow model substitution would be detected; provider SLA and security posture documented", "critical": false },
|
|
28
|
+
{ "id": "ai_output_length_limit", "description": "Model output length limits enforced at the API layer; unbounded generation that could exhaust context or enable token flooding is blocked; streaming responses have an abort timeout", "critical": true },
|
|
29
|
+
{ "id": "ai_indirect_injection_external", "title": "External content ingestion paths sanitize fetched content before LLM context injection", "severity": "critical", "automated": true },
|
|
30
|
+
{ "id": "ai_markdown_exfil", "title": "LLM output stripped of markdown images and external links before rendering to clients", "severity": "critical", "automated": true },
|
|
31
|
+
{ "id": "ai_memory_poisoning", "title": "Long-term memory writes validated; read-back treated as untrusted input with injection guards", "severity": "critical", "automated": true },
|
|
32
|
+
{ "id": "ai_rag_corpus_poisoning", "title": "Documents ingested into vector store pass content validation and injection scanning before upsert", "severity": "high", "automated": true },
|
|
33
|
+
{ "id": "ai_token_smuggling", "title": "User prompt inputs stripped of zero-width Unicode, invisible characters, and homoglyphs before processing", "severity": "high", "automated": true },
|
|
34
|
+
{ "id": "ai_privilege_escalation", "title": "Agent tool list frozen at session initialization — no runtime tool registration permitted", "severity": "critical", "automated": true },
|
|
35
|
+
{ "id": "ai_llm_judge_manipulation", "title": "LLM-as-judge evaluation pipelines use static server-controlled scoring criteria isolated from user input", "severity": "high", "automated": true },
|
|
36
|
+
{ "id": "ai_idor_tool_calls", "title": "Agentic tool calls that accept resource IDs enforce per-request authorization before accessing the resource", "severity": "critical", "automated": true },
|
|
37
|
+
{ "id": "ai_context_stuffing", "title": "Application enforces maximum input token budget per request before dispatching to LLM API", "severity": "high", "automated": true },
|
|
38
|
+
{ "id": "ai_multimodal_injection", "title": "Multimodal inputs (images, PDFs, audio) passed to vision/multimodal LLMs scanned for embedded injection payloads", "severity": "critical", "automated": true },
|
|
39
|
+
{ "id": "ai_vector_filter_bypass", "title": "Vector store tenant isolation uses mandatory hard filters (must/AND) not optional soft filters (should/OR)", "severity": "high", "automated": true },
|
|
40
|
+
{ "id": "ai_stream_chunk_validation", "title": "Streaming LLM response chunks validated against expected SSE schema before forwarding", "severity": "high", "automated": true },
|
|
41
|
+
{ "id": "ai_generated_code_audit_trail", "title": "Every execution of AI-generated code, SQL, or shell commands produces an audit log entry", "severity": "high", "automated": true },
|
|
42
|
+
{ "id": "ai_embedding_inversion", "title": "Raw embedding vectors never exposed in API responses, logs, or client storage", "severity": "medium", "automated": true }
|
|
24
43
|
]
|
|
25
44
|
}
|
|
@@ -22,6 +22,40 @@
|
|
|
22
22
|
{ "id": "api_secrets_scan", "description": "Secrets scan clean — no hardcoded credentials or API keys", "critical": true },
|
|
23
23
|
{ "id": "api_sast_pass", "description": "SAST scan passed with no CRITICAL findings", "critical": true },
|
|
24
24
|
{ "id": "api_threat_model", "description": "Threat model completed and reviewed for this API surface change", "critical": true },
|
|
25
|
-
{ "id": "api_health_endpoint", "description": "Health/readiness endpoints do not expose sensitive version or config info", "critical": false }
|
|
25
|
+
{ "id": "api_health_endpoint", "description": "Health/readiness endpoints do not expose sensitive version or config info", "critical": false },
|
|
26
|
+
{ "id": "api_graphql_introspection", "description": "GraphQL introspection disabled in production; query depth limit ≤ 10 and complexity budget enforced to prevent resource exhaustion", "critical": true },
|
|
27
|
+
{ "id": "api_idempotency_replay", "description": "Financial and state-changing endpoints protected against replay via idempotency keys or HMAC-timestamped signatures with a time-bound window ≤ 5 minutes", "critical": true },
|
|
28
|
+
{ "id": "api_command_injection", "description": "No user-controlled input passed to child_process.exec, execSync, spawn with shell:true, or any shell interpreter — allowlisted command templates only", "critical": true },
|
|
29
|
+
{ "id": "api_file_upload_validation", "description": "File upload endpoints enforce MIME type server-side (not by extension), max file size, extension allowlist, and malware scanning; files stored outside web root", "critical": true },
|
|
30
|
+
{ "id": "api_timing_safe_equality", "description": "All sensitive equality checks (tokens, reset codes, HMAC digests, API keys) use crypto.timingSafeEqual — no string ===, indexOf, or includes comparisons", "critical": true },
|
|
31
|
+
{ "id": "api_second_order_injection", "title": "Second-order injection prevention reviewed — data retrieved from DB never passed unsanitized to SQL/template/shell sinks", "severity": "critical", "automated": true },
|
|
32
|
+
{ "id": "api_spel_ognl_injection", "title": "SpEL/OGNL/MVEL expression parsers do not evaluate user-controlled input", "severity": "critical", "automated": true },
|
|
33
|
+
{ "id": "api_pickle_marshal_deserialization", "title": "Python pickle.loads/Marshal.load/PHP unserialize never called on user-supplied data", "severity": "critical", "automated": true },
|
|
34
|
+
{ "id": "api_java_deserialization", "title": "Java ObjectInputStream.readObject/XStream/Kryo deserialization never used with untrusted data", "severity": "critical", "automated": true },
|
|
35
|
+
{ "id": "api_elasticsearch_injection", "title": "Elasticsearch query_string and script.source do not include user input", "severity": "high", "automated": true },
|
|
36
|
+
{ "id": "api_websocket_message_injection", "title": "WebSocket message handlers validate all incoming data before passing to sinks", "severity": "high", "automated": true },
|
|
37
|
+
{ "id": "api_grpc_protobuf_validation", "title": "gRPC/Protobuf endpoints validate all message fields after deserialization", "severity": "high", "automated": true },
|
|
38
|
+
{ "id": "api_nosql_field_injection", "title": "MongoDB query field values validated as scalar types — $gt/$regex stripped from user input", "severity": "high", "automated": true },
|
|
39
|
+
{ "id": "api_http_response_splitting", "title": "HTTP response splitting prevented — writeHead/headers.set never include user CRLF sequences", "severity": "high", "automated": true },
|
|
40
|
+
{ "id": "api_document_injection", "title": "PDF/Office document generation libraries sanitize user input — no formula injection (=CMD, =DDE)", "severity": "high", "automated": true },
|
|
41
|
+
{ "id": "api_bracket_notation_pollution", "title": "Dynamic property assignment using user-controlled keys forbidden — bracket notation obj[userKey] validated", "severity": "high", "automated": true },
|
|
42
|
+
{ "id": "api_jwt_kid_injection", "title": "JWT kid header sanitised before DB lookup or filesystem access", "severity": "critical", "automated": true },
|
|
43
|
+
{ "id": "api_jwt_jwks_uri_pinned", "title": "JWKS URI pinned to static allowlist — token-supplied jwks_uri not followed", "severity": "critical", "automated": true },
|
|
44
|
+
{ "id": "api_oauth_client_secret_hardcoded", "title": "OAuth client_secret not hardcoded in client-side code — public clients use PKCE only", "severity": "critical", "automated": true },
|
|
45
|
+
{ "id": "api_session_token_in_url", "title": "Session identifiers never transmitted in URL query parameters", "severity": "high", "automated": true },
|
|
46
|
+
{ "id": "api_token_entropy", "title": "Session and reset tokens generated with ≥ 16 bytes (128 bits) of cryptographic randomness", "severity": "high", "automated": true },
|
|
47
|
+
{ "id": "api_remember_me_rotation", "title": "Persistent remember-me tokens rotated on each use, stored hashed server-side, hard-expired ≤ 30 days", "severity": "high", "automated": true },
|
|
48
|
+
{ "id": "api_password_reset_single_use", "title": "Password reset tokens deleted or nullified immediately after first use", "severity": "high", "automated": true },
|
|
49
|
+
{ "id": "api_account_enumeration", "title": "Login and password-reset endpoints return identical responses for invalid user vs. invalid credential", "severity": "medium", "automated": true },
|
|
50
|
+
{ "id": "api_bcrypt_cost_factor", "title": "bcrypt cost factor ≥ 12 for all password hashing operations", "severity": "high", "automated": true },
|
|
51
|
+
{ "id": "api_zero_iv", "title": "No all-zero or zero-filled IVs used in cipher operations — IVs generated with crypto.randomBytes", "severity": "critical", "automated": true },
|
|
52
|
+
{ "id": "api_rsa_key_size", "title": "RSA key generation uses ≥ 2048 bits — no sub-2048 key sizes", "severity": "critical", "automated": true },
|
|
53
|
+
{ "id": "api_dh_params", "title": "Diffie-Hellman parameters ≥ 2048 bits — no weak DH groups (modp1/2/5)", "severity": "high", "automated": true },
|
|
54
|
+
{ "id": "api_forward_secrecy", "title": "TLS cipher suites require ECDHE or DHE — forward secrecy enforced", "severity": "high", "automated": true },
|
|
55
|
+
{ "id": "api_graphql_resolver_injection", "title": "GraphQL resolver arguments never concatenated into raw SQL/NoSQL queries", "severity": "critical", "automated": true },
|
|
56
|
+
{ "id": "api_graphql_batching", "title": "GraphQL alias count limited per request (≤ 15) — batching-based enumeration and DoS prevented", "severity": "high", "automated": true },
|
|
57
|
+
{ "id": "api_sse_injection", "title": "Server-Sent Events streams strip \\r\\n from user-controlled data before writing", "severity": "high", "automated": true },
|
|
58
|
+
{ "id": "api_oauth_referer_leakage", "title": "Referrer-Policy: no-referrer set on pages that receive OAuth tokens; tokens not in URL query params", "severity": "high", "automated": true },
|
|
59
|
+
{ "id": "api_pagination_bounds", "title": "Pagination parameters (limit, offset, page) validated with minimum 1, maximum cap, non-negative enforcement", "severity": "medium", "automated": true }
|
|
26
60
|
]
|
|
27
61
|
}
|
|
@@ -22,6 +22,39 @@
|
|
|
22
22
|
{ "id": "infra_provenance", "description": "SLSA provenance attestation generated for release artifacts", "critical": false },
|
|
23
23
|
{ "id": "infra_threat_model", "description": "Threat model completed and reviewed for this infrastructure change", "critical": true },
|
|
24
24
|
{ "id": "infra_zero_trust", "description": "Zero Trust controls applied — explicit authentication for all service-to-service calls", "critical": true },
|
|
25
|
-
{ "id": "infra_ddos_protection", "description": "DDoS protection enabled for public-facing load balancers", "critical": false }
|
|
25
|
+
{ "id": "infra_ddos_protection", "description": "DDoS protection enabled for public-facing load balancers", "critical": false },
|
|
26
|
+
{ "id": "infra_imdsv2_enforced", "description": "IMDSv2 enforced on all EC2/cloud instances (hop limit 1, token required); SSRF to 169.254.169.254 blocked at network layer — prevents cloud metadata credential theft", "critical": true },
|
|
27
|
+
{ "id": "infra_egress_filtering", "description": "Egress network filtering restricts outbound connections to known-good destinations; unexpected outbound traffic triggers alerts within 15 minutes", "critical": true },
|
|
28
|
+
{ "id": "infra_pod_security_standards", "description": "Kubernetes pods run with Restricted security context: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation:false, seccomp profile enforced", "critical": true },
|
|
29
|
+
{ "id": "infra_secret_rotation", "description": "All secrets and credentials have automated rotation policy with maximum rotation interval documented and enforced; rotation failures trigger immediate alerts", "critical": true },
|
|
30
|
+
{ "id": "infra_runtime_threat_detection", "description": "Runtime threat detection enabled (Falco, GuardDuty, Defender for Cloud, or equivalent) on all compute; anomalies generate alerts within 15 minutes with documented runbook", "critical": false },
|
|
31
|
+
{ "id": "infra_imdsv1_accessible", "title": "IMDSv1 disabled — http_tokens=required enforced on all EC2 instances", "severity": "critical", "automated": true },
|
|
32
|
+
{ "id": "infra_lambda_url_no_auth", "title": "Lambda function URLs not configured with AuthType NONE", "severity": "critical", "automated": true },
|
|
33
|
+
{ "id": "infra_ecr_scan_on_push", "title": "ECR repositories have scan-on-push enabled", "severity": "high", "automated": true },
|
|
34
|
+
{ "id": "infra_ecs_host_network", "title": "ECS tasks do not use host network mode", "severity": "high", "automated": true },
|
|
35
|
+
{ "id": "infra_cloudtrail_multiregion", "title": "CloudTrail configured as multi-region trail", "severity": "high", "automated": true },
|
|
36
|
+
{ "id": "infra_s3_access_logging", "title": "S3 server access logging enabled on all sensitive buckets", "severity": "medium", "automated": true },
|
|
37
|
+
{ "id": "infra_vpc_flow_logs", "title": "VPC flow logs enabled", "severity": "medium", "automated": true },
|
|
38
|
+
{ "id": "infra_cross_account_external_id", "title": "Cross-account IAM trust policies include sts:ExternalId condition", "severity": "high", "automated": true },
|
|
39
|
+
{ "id": "infra_gcp_default_service_account", "title": "GCP instances do not use the default Compute Engine service account", "severity": "high", "automated": true },
|
|
40
|
+
{ "id": "infra_gcp_project_ssh_keys", "title": "No GCP project-level SSH keys configured", "severity": "medium", "automated": true },
|
|
41
|
+
{ "id": "infra_gcp_external_ip", "title": "GCP compute instances without external IPs unless required", "severity": "medium", "automated": true },
|
|
42
|
+
{ "id": "infra_azure_public_network_access", "title": "Azure resources do not have public_network_access_enabled=true unless required", "severity": "high", "automated": true },
|
|
43
|
+
{ "id": "infra_deletion_protection", "title": "All databases and stateful resources have deletion_protection=true", "severity": "high", "automated": true },
|
|
44
|
+
{ "id": "infra_vpc_endpoint_s3_ecr", "title": "VPC endpoints configured for S3/ECR — service traffic does not route over public internet", "severity": "medium", "automated": true },
|
|
45
|
+
{ "id": "infra_guardduty_enabled", "title": "AWS GuardDuty enabled in all regions", "severity": "high", "automated": true },
|
|
46
|
+
{ "id": "infra_security_hub_enabled", "title": "AWS Security Hub enabled for centralized findings aggregation", "severity": "medium", "automated": true },
|
|
47
|
+
{ "id": "k8s_run_as_root", "title": "Kubernetes containers do not run as root (runAsUser: 0)", "severity": "high", "automated": true },
|
|
48
|
+
{ "id": "k8s_capabilities_not_dropped", "title": "Container capabilities fully dropped (capabilities.drop: [ALL])", "severity": "high", "automated": true },
|
|
49
|
+
{ "id": "k8s_nodeport_exposure", "title": "No NodePort services exposing sensitive internal services", "severity": "medium", "automated": true },
|
|
50
|
+
{ "id": "k8s_tiller_helm_v2", "title": "Helm v2 Tiller not deployed in cluster", "severity": "critical", "automated": true },
|
|
51
|
+
{ "id": "k8s_docker_socket_mount", "title": "Docker socket not mounted inside any Kubernetes pod", "severity": "critical", "automated": true },
|
|
52
|
+
{ "id": "k8s_api_anonymous_auth", "title": "Kubernetes API server anonymous-auth disabled", "severity": "critical", "automated": true },
|
|
53
|
+
{ "id": "k8s_mtls_not_strict", "title": "Istio/Linkerd PeerAuthentication enforces STRICT mTLS mode", "severity": "high", "automated": true },
|
|
54
|
+
{ "id": "docker_no_user_directive", "title": "All Dockerfiles include USER directive — containers do not run as root", "severity": "high", "automated": true },
|
|
55
|
+
{ "id": "docker_add_url_no_integrity", "title": "Dockerfiles do not use ADD with remote URLs without integrity verification", "severity": "high", "automated": true },
|
|
56
|
+
{ "id": "docker_secrets_in_env", "title": "No secrets in Dockerfile ENV instructions", "severity": "critical", "automated": true },
|
|
57
|
+
{ "id": "docker_privileged_flag", "title": "No containers started with --privileged or privileged:true", "severity": "critical", "automated": true },
|
|
58
|
+
{ "id": "docker_socket_mount", "title": "Docker socket not mounted into any container", "severity": "critical", "automated": true }
|
|
26
59
|
]
|
|
27
60
|
}
|
|
@@ -20,6 +20,28 @@
|
|
|
20
20
|
{ "id": "mobile_threat_model", "description": "Threat model completed and reviewed for this mobile surface change", "critical": true },
|
|
21
21
|
{ "id": "mobile_data_residency", "description": "Data residency requirements met — no user data stored on device beyond session", "critical": false },
|
|
22
22
|
{ "id": "mobile_backup_prevention", "description": "allowBackup=false in Android manifest — sensitive data not included in backups", "critical": true },
|
|
23
|
-
{ "id": "mobile_logging", "description": "No sensitive data logged in production builds — crash reporting sanitized", "critical": true }
|
|
23
|
+
{ "id": "mobile_logging", "description": "No sensitive data logged in production builds — crash reporting sanitized", "critical": true },
|
|
24
|
+
{ "id": "mobile_tapjacking_prevention", "description": "Android tapjacking prevention: FLAG_SECURE set on sensitive screens; filterTouchesWhenObscured=true on clickable elements handling auth or payments", "critical": true },
|
|
25
|
+
{ "id": "mobile_memory_zeroing", "description": "Sensitive data (passwords, keys, PAN) explicitly zeroed from memory after use — not relying on GC; no sensitive data in String objects (use char[] or SecureString)", "critical": false },
|
|
26
|
+
{ "id": "mobile_anti_debugging", "description": "Anti-debugging and anti-tampering controls in place for high-risk operations; ptrace detection and integrity attestation verified before sensitive operations", "critical": false },
|
|
27
|
+
{ "id": "mobile_ios_temp_sensitive", "title": "iOS: Sensitive data not written to NSTemporaryDirectory or NSCachesDirectory without explicit cleanup", "severity": "high", "automated": true },
|
|
28
|
+
{ "id": "mobile_ios_file_protection_none", "title": "iOS: NSFileProtectionNone not set on any file containing sensitive data", "severity": "critical", "automated": true },
|
|
29
|
+
{ "id": "mobile_ios_appstorage_sensitive", "title": "iOS: @AppStorage not used for sensitive credentials or tokens", "severity": "high", "automated": true },
|
|
30
|
+
{ "id": "mobile_ios_sqlite_unencrypted", "title": "iOS: SQLite databases encrypted with SQLCipher when storing sensitive data", "severity": "high", "automated": true },
|
|
31
|
+
{ "id": "mobile_ios_webview_http", "title": "iOS: WKWebView does not load http:// URLs when JavaScript is enabled", "severity": "critical", "automated": true },
|
|
32
|
+
{ "id": "mobile_ios_universal_links", "title": "iOS: Universal Links configured with HTTPS AASA and restrictive path patterns", "severity": "high", "automated": true },
|
|
33
|
+
{ "id": "mobile_android_root_detection", "title": "Android: Root detection implemented for high-risk operations", "severity": "medium", "automated": true },
|
|
34
|
+
{ "id": "mobile_android_frida_magisk_detection", "title": "Android: Frida/Magisk/Xposed detection in place for high-risk app flows", "severity": "medium", "automated": true },
|
|
35
|
+
{ "id": "mobile_android_webview_ssl_error", "title": "Android: WebViewClient.onReceivedSslError does not call proceed() unconditionally", "severity": "critical", "automated": true },
|
|
36
|
+
{ "id": "mobile_android_firebase_rules", "title": "Android: Firebase Realtime Database and Firestore rules deny unauthenticated access", "severity": "critical", "automated": true },
|
|
37
|
+
{ "id": "mobile_android_maps_api_key", "title": "Android: Google Maps API key not hardcoded in manifest or resource files", "severity": "high", "automated": true },
|
|
38
|
+
{ "id": "mobile_android_deeplink_traversal", "title": "Android: Deep link path parameters validated and sanitized before use in file or URL operations", "severity": "high", "automated": true },
|
|
39
|
+
{ "id": "mobile_android_sharedprefs_world", "title": "Android: SharedPreferences not opened with MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE", "severity": "critical", "automated": true },
|
|
40
|
+
{ "id": "mobile_android_content_provider_permission", "title": "Android: ContentProvider with exported=true has explicit readPermission and writePermission", "severity": "high", "automated": true },
|
|
41
|
+
{ "id": "mobile_rn_async_storage_sensitive", "title": "React Native: AsyncStorage not used for credentials or tokens — use react-native-keychain or Expo SecureStore", "severity": "high", "automated": true },
|
|
42
|
+
{ "id": "mobile_rn_codepush_integrity", "title": "React Native: OTA bundle updates verified with code signing before execution", "severity": "high", "automated": true },
|
|
43
|
+
{ "id": "mobile_flutter_sharedprefs_sensitive", "title": "Flutter: Sensitive data stored in flutter_secure_storage, not shared_preferences", "severity": "high", "automated": true },
|
|
44
|
+
{ "id": "mobile_expo_async_vs_secure", "title": "Expo: Credentials and tokens stored in SecureStore, not AsyncStorage", "severity": "high", "automated": true },
|
|
45
|
+
{ "id": "mobile_certificate_transparency", "title": "Certificate Transparency enforcement enabled for production domains", "severity": "medium", "automated": true }
|
|
24
46
|
]
|
|
25
47
|
}
|
|
@@ -20,6 +20,20 @@
|
|
|
20
20
|
{ "id": "pci_chargeback_monitoring", "description": "Chargeback monitoring and alerting configured with defined response process", "critical": false },
|
|
21
21
|
{ "id": "pci_data_retention", "description": "Payment data retention policy enforced — data purged per PCI DSS schedule", "critical": true },
|
|
22
22
|
{ "id": "pci_ir_playbook", "description": "Payment fraud and PCI breach IR playbooks exist and are current", "critical": true },
|
|
23
|
-
{ "id": "pci_threat_model", "description": "Threat model completed and reviewed for this payment surface change", "critical": true }
|
|
23
|
+
{ "id": "pci_threat_model", "description": "Threat model completed and reviewed for this payment surface change", "critical": true },
|
|
24
|
+
{ "id": "pci_magecart_prevention", "description": "Magecart/digital-skimming prevention: SRI hashes on all checkout page scripts; CSP blocks unauthorized exfiltration destinations; DOM mutation monitoring detects injected form skimmers", "critical": true },
|
|
25
|
+
{ "id": "pci_3ds_enforced", "description": "EMV 3D Secure 2.2+ enforced for card-not-present transactions above risk threshold; step-up authentication triggered by anomaly score; 3DS bypass attempts logged and alerted", "critical": true },
|
|
26
|
+
{ "id": "pci_currency_validation", "title": "Payment currency fixed server-side — client-supplied currency code rejected or validated against strict allowlist", "severity": "critical", "automated": true },
|
|
27
|
+
{ "id": "pci_discount_stacking", "title": "Discount/coupon stacking limited server-side — maximum one promotion per order enforced atomically", "severity": "high", "automated": true },
|
|
28
|
+
{ "id": "pci_payment_confirmation_server_side", "title": "Order/fulfillment status derived exclusively from payment processor API response — never from client-supplied status field", "severity": "critical", "automated": true },
|
|
29
|
+
{ "id": "pci_webhook_timestamp_tolerance", "title": "Webhook timestamp tolerance ≤ 300 seconds — stale events rejected", "severity": "high", "automated": true },
|
|
30
|
+
{ "id": "pci_server_side_totals", "title": "Tax, shipping, and discount amounts computed server-side — never sourced from client request body", "severity": "high", "automated": true },
|
|
31
|
+
{ "id": "pci_total_revalidation", "title": "Final charge amount re-computed server-side from canonical item prices — client-supplied total field never used as charge amount", "severity": "critical", "automated": true },
|
|
32
|
+
{ "id": "pci_referral_abuse_prevention", "title": "Referral/signup bonus protected against self-referral and multi-account abuse with deduplication", "severity": "high", "automated": true },
|
|
33
|
+
{ "id": "biz_email_normalization", "title": "Email addresses normalised before uniqueness check — duplicate account creation via aliasing prevented", "severity": "high", "automated": true },
|
|
34
|
+
{ "id": "biz_feature_flag_server_side", "title": "Feature entitlements derived from server-side session/database record — not from client-supplied plan/tier/featureFlag parameters", "severity": "high", "automated": true },
|
|
35
|
+
{ "id": "biz_api_version_controls_parity", "title": "All security controls applied uniformly across all live API versions — deprecated versions sunset or mirrored", "severity": "high", "automated": false },
|
|
36
|
+
{ "id": "pci_trial_abuse_prevention", "title": "Free trial creation checked for velocity on payment method fingerprint, BIN prefix, IP, and device identifier", "severity": "high", "automated": true },
|
|
37
|
+
{ "id": "pci_payment_intent_idempotency", "title": "Payment intent charge guarded by distributed lock or unique constraint — concurrent double-charge prevented", "severity": "critical", "automated": true }
|
|
24
38
|
]
|
|
25
39
|
}
|
|
@@ -25,6 +25,16 @@
|
|
|
25
25
|
{ "id": "web_sast_pass", "description": "SAST scan passed with no CRITICAL findings", "critical": true },
|
|
26
26
|
{ "id": "web_secrets_scan", "description": "Secrets scan clean — no credentials or tokens in source code", "critical": true },
|
|
27
27
|
{ "id": "web_logging", "description": "Required security events logged — no PII, tokens, or secrets in logs", "critical": false },
|
|
28
|
-
{ "id": "web_staging_verified", "description": "Security headers verified in staging environment with automated check", "critical": false }
|
|
28
|
+
{ "id": "web_staging_verified", "description": "Security headers verified in staging environment with automated check", "critical": false },
|
|
29
|
+
{ "id": "web_dom_clobbering", "description": "DOM clobbering prevention reviewed — named form inputs, anchors, and embeds do not shadow window/document properties used in application logic", "critical": true },
|
|
30
|
+
{ "id": "web_cache_poisoning", "description": "Web cache poisoning prevented — unkeyed headers (X-Forwarded-Host, X-Original-URL, X-Rewrite-URL) are not reflected in cached responses or redirects", "critical": true },
|
|
31
|
+
{ "id": "web_websocket_auth", "description": "WebSocket upgrade validates authentication independently (token in first message or query param signed); does not rely solely on session cookies which bypass CORS", "critical": true },
|
|
32
|
+
{ "id": "web_postmessage_origin", "description": "postMessage listeners validate event.origin against an explicit allowlist before processing any message data — no wildcard '*' as trusted origin", "critical": true },
|
|
33
|
+
{ "id": "web_dangling_markup", "description": "Dangling markup injection reviewed — no user-controlled partial HTML tags output across multi-step page generation; prevents attribute-injection data exfiltration", "critical": false },
|
|
34
|
+
{ "id": "web_css_injection", "title": "User input not written into CSS style attributes, CSS-in-JS template literals, or <style> blocks", "severity": "high", "automated": true },
|
|
35
|
+
{ "id": "web_dangling_markup_check", "title": "Dangling markup injection prevention — no user-controlled partial HTML tags in server-rendered output", "severity": "high", "automated": true },
|
|
36
|
+
{ "id": "web_postmessage_wildcard", "title": "postMessage sender does not use wildcard '*' as targetOrigin for sensitive data", "severity": "medium", "automated": true },
|
|
37
|
+
{ "id": "web_cache_poisoning_headers", "title": "Unkeyed headers (X-Forwarded-Host, X-Original-URL) not reflected in cached responses or redirects", "severity": "medium", "automated": true },
|
|
38
|
+
{ "id": "web_missing_sri", "title": "All external scripts and stylesheets loaded with Subresource Integrity (SRI) integrity= attribute", "severity": "medium", "automated": true }
|
|
29
39
|
]
|
|
30
40
|
}
|