security-mcp 1.1.4 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +341 -1018
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/defaults/security-policy.json +2 -2
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +582 -15
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +955 -2
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +256 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +202 -9
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +316 -130
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +131 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +161 -24
- package/dist/mcp/orchestration.js +377 -89
- package/dist/mcp/server.js +460 -69
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +37 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +56 -3
- package/dist/tests/run.js +124 -1
- package/package.json +9 -9
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +118 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +377 -0
- package/skills/ai-llm-redteam/SKILL.md +113 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
- package/skills/android-penetration-tester/SKILL.md +464 -46
- package/skills/anti-replay-tester/SKILL.md +115 -0
- package/skills/appsec-code-auditor/SKILL.md +94 -0
- package/skills/artifact-integrity-analyst/SKILL.md +450 -0
- package/skills/attack-navigator/SKILL.md +476 -8
- package/skills/auth-session-hacker/SKILL.md +111 -0
- package/skills/aws-penetration-tester/SKILL.md +510 -0
- package/skills/azure-penetration-tester/SKILL.md +542 -3
- package/skills/binary-auth-validator/SKILL.md +120 -0
- package/skills/bot-detection-specialist/SKILL.md +118 -0
- package/skills/business-logic-attacker/SKILL.md +240 -0
- package/skills/capec-code-mapper/SKILL.md +93 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
- package/skills/ciso-orchestrator/SKILL.md +465 -43
- package/skills/cloud-infra-specialist/SKILL.md +127 -0
- package/skills/compliance-gap-analyst/SKILL.md +431 -0
- package/skills/compliance-grc/SKILL.md +94 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +111 -0
- package/skills/crypto-pki-specialist/SKILL.md +96 -0
- package/skills/csa-ccm-mapper/SKILL.md +93 -0
- package/skills/csf2-governance-mapper/SKILL.md +93 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +118 -0
- package/skills/dependency-confusion-attacker/SKILL.md +424 -0
- package/skills/device-integrity-aggregator/SKILL.md +117 -0
- package/skills/dos-resilience-tester/SKILL.md +106 -0
- package/skills/dread-scorer/SKILL.md +93 -0
- package/skills/egress-policy-enforcer/SKILL.md +108 -0
- package/skills/evidence-collector/SKILL.md +107 -0
- package/skills/file-upload-attacker/SKILL.md +118 -0
- package/skills/gcp-penetration-tester/SKILL.md +510 -2
- package/skills/git-history-secret-scanner/SKILL.md +115 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
- package/skills/incident-responder/SKILL.md +120 -0
- package/skills/injection-specialist/SKILL.md +111 -0
- package/skills/ios-security-auditor/SKILL.md +291 -0
- package/skills/json-ambiguity-tester/SKILL.md +145 -0
- package/skills/k8s-container-escaper/SKILL.md +406 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
- package/skills/kill-switch-engineer/SKILL.md +111 -0
- package/skills/linddun-privacy-analyst/SKILL.md +111 -0
- package/skills/logic-race-fuzzer/SKILL.md +452 -0
- package/skills/mobile-api-network-attacker/SKILL.md +430 -0
- package/skills/mobile-binary-hardener/SKILL.md +111 -0
- package/skills/mobile-security-specialist/SKILL.md +94 -0
- package/skills/mobile-webview-auditor/SKILL.md +105 -0
- package/skills/model-extraction-attacker/SKILL.md +228 -0
- package/skills/multipart-abuse-tester/SKILL.md +93 -0
- package/skills/oauth-pkce-specialist/SKILL.md +113 -0
- package/skills/parser-exhaustion-tester/SKILL.md +151 -0
- package/skills/pentest-infra/SKILL.md +107 -0
- package/skills/pentest-social/SKILL.md +210 -0
- package/skills/pentest-team/SKILL.md +96 -0
- package/skills/pentest-web-api/SKILL.md +107 -0
- package/skills/privacy-flow-analyst/SKILL.md +243 -0
- package/skills/prompt-injection-specialist/SKILL.md +403 -0
- package/skills/quantum-migration-planner/SKILL.md +105 -0
- package/skills/rag-poisoning-specialist/SKILL.md +367 -0
- package/skills/registry-mirror-enforcer/SKILL.md +93 -0
- package/skills/rotation-validation-agent/SKILL.md +121 -0
- package/skills/samm-assessor/SKILL.md +94 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
- package/skills/senior-security-engineer/SKILL.md +178 -0
- package/skills/serialization-memory-attacker/SKILL.md +341 -0
- package/skills/session-timeout-tester/SKILL.md +170 -0
- package/skills/slsa-level3-enforcer/SKILL.md +121 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
- package/skills/ssrf-detection-validator/SKILL.md +117 -0
- package/skills/step-up-auth-enforcer/SKILL.md +93 -0
- package/skills/stride-pasta-analyst/SKILL.md +429 -0
- package/skills/supply-chain-devsecops/SKILL.md +107 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
- package/skills/threat-modeler/SKILL.md +94 -0
- package/skills/tls-certificate-auditor/SKILL.md +582 -18
- package/skills/token-reuse-detector/SKILL.md +104 -0
- package/skills/trike-risk-modeler/SKILL.md +93 -0
- package/skills/unicode-homograph-tester/SKILL.md +93 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
- package/skills/webhook-security-tester/SKILL.md +111 -0
- package/skills/zero-trust-architect/SKILL.md +118 -0
|
@@ -23,6 +23,15 @@ SKILL.md §3, §4, and §7 are the minimum. You go beyond them.
|
|
|
23
23
|
90% fixing — you write the Terraform/Kubernetes/Helm fixes directly.
|
|
24
24
|
Every finding maps to a blast radius: what can an attacker reach if this misconfiguration is exploited?
|
|
25
25
|
|
|
26
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
27
|
+
|
|
28
|
+
As LEAD over the cloud/infra suite, the `infra.ts`, `iac.ts`, `k8s.ts`, `gitops.ts`, and `data-platform.ts` detection modules (`src/gate/checks/infra.ts` et al.) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the Terraform/Helm/K8s manifest/policy), not just advise:
|
|
29
|
+
|
|
30
|
+
- **Cross-file / cross-finding reasoning the regex can't do:** walk the privilege-escalation graph across files — an `iam:PassRole` in one `.tf` + a permissive trust policy in another + an `automountServiceAccountToken: true` pod spec compose a node-credential-theft chain no single `infra.ts`/`k8s.ts` match sees. Map the full blast radius, not the one-line flag.
|
|
31
|
+
- **Semantic / effective-state analysis:** a `0.0.0.0/0` SG rule may be neutered by a NACL, or an "encrypted" bucket may be readable cross-account via a confused-deputy resource policy; adjudicate the *effective* reachability across IaC + GitOps drift, not the declared intent.
|
|
32
|
+
- **External corroboration:** WebSearch/WebFetch for current cloud-provider advisories, Kubernetes/CRI-O CVEs, CIS Benchmark updates, and HackTricks-Cloud privesc techniques relevant to the detected provider and cluster version.
|
|
33
|
+
- **Apply & prove:** write the hardened Terraform/Rego/manifest inline, re-run the relevant `src/gate/checks/` module as a regression floor, then re-audit semantically; emit the LEARNING SIGNAL per fix and surface trade-offs (e.g. tighter egress vs. operational reachability) with the secure default.
|
|
34
|
+
|
|
26
35
|
## ACTIVATION PROTOCOL
|
|
27
36
|
|
|
28
37
|
1. Call `orchestration.update_agent_status(agentRunId, "cloud-infra-specialist", "running")`
|
|
@@ -61,6 +70,17 @@ Every finding maps to a blast radius: what can an attacker reach if this misconf
|
|
|
61
70
|
- **Terraform state security:** State file location, encryption, access controls — who can read
|
|
62
71
|
the state file can reconstruct all secrets and resource configurations.
|
|
63
72
|
|
|
73
|
+
## BEYOND SKILL.MD — DOMAIN-SPECIFIC THREAT INTELLIGENCE
|
|
74
|
+
|
|
75
|
+
- **CVE-2022-0811 (CRI-O "cr8escape"):** A single `\n` in a pod spec annotation allows container escape to host root. Any cluster running CRI-O < 1.19.6 is fully compromised. Check `kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.containerRuntimeVersion}'` and cross-reference against CRI-O release history.
|
|
76
|
+
- **CVE-2022-3172 (kube-apiserver SSRF):** The aggregated API server accepts redirects to internal endpoints. Attackers can pivot from the API server to EC2 instance metadata (169.254.169.254) or GCP metadata (metadata.google.internal), stealing node IAM credentials. Test with a custom APIService that redirects to IMDS.
|
|
77
|
+
- **CVE-2023-44487 (HTTP/2 Rapid Reset — cloud load balancers):** All major cloud ALBs/NLBs are exposed until the provider patches the underlying Envoy/nghttp2 layer. Application-layer mitigations (request rate limits) do not substitute for infrastructure-layer patches. Verify provider advisory dates against cluster creation/update timestamps.
|
|
78
|
+
- **Confused Deputy via AWS Resource-Based Policies (technique, no single CVE):** Cross-account S3 bucket policies or SNS topic policies that trust `*` with a condition on `aws:SourceAccount` can be bypassed if the trusted account has a confused deputy chain. Map every `Principal: "*"` with conditions using Cloudsplaining or Parlament.
|
|
79
|
+
- **GCP Workload Identity Federation token theft (technique):** If a GCP service account is bound to a Kubernetes service account and the pod runs with `automountServiceAccountToken: true`, the projected OIDC token can be exchanged for a GCP access token by any process in the pod. The token lives in a well-known path (`/var/run/secrets/kubernetes.io/serviceaccount/token`) and is valid for 1 hour. Enumerate with `kubectl get pods -o yaml | grep automountServiceAccountToken`.
|
|
80
|
+
- **AI-era threat — LLM-assisted IAM privilege escalation graph traversal:** Tools like PMapper and Cloudfox now have LLM back-ends that auto-generate multi-hop escalation chains (e.g., `iam:PassRole` → `ec2:RunInstances` → assume admin role) at scale. Assume attackers enumerate your IAM graph in minutes. Every `iam:PassRole` or `iam:CreatePolicyVersion` without a condition must be treated as a critical finding.
|
|
81
|
+
- **Post-quantum threat — Harvest-Now-Decrypt-Later against cloud KMS-wrapped secrets:** AWS KMS, GCP Cloud KMS, and Azure Key Vault all use RSA or ECDH under the hood for key wrapping. Secrets encrypted today with classical key wrapping algorithms will be decryptable once CRQCs arrive (est. 2028-2032). Any secret with a classification lifetime exceeding 5 years must migrate to hybrid ML-KEM (FIPS 203) wrapping now. Inventory long-lived secrets with `aws kms list-keys` + `describe-key` and flag RSA-wrapped data keys.
|
|
82
|
+
- **Supply chain attack via Terraform provider registry (technique):** Malicious or typo-squatted Terraform providers on registry.terraform.io have full access to the runner's environment variables — including cloud credentials injected by CI. Any provider source not on the `hashicorp/` or known-vendor namespace must be reviewed. Pin provider versions with `required_providers` version constraints and verify checksums in `.terraform.lock.hcl`.
|
|
83
|
+
|
|
64
84
|
## PROJECT-AWARE EDGE CASES
|
|
65
85
|
|
|
66
86
|
Derived from detected IaC and cloud configuration:
|
|
@@ -83,3 +103,110 @@ If internet permitted:
|
|
|
83
103
|
Write `.mcp/agent-runs/{agentRunId}/infra-findings.json`
|
|
84
104
|
Each finding includes the affected Terraform resource or Kubernetes object, the blast radius,
|
|
85
105
|
the exploit chain, and the fixed code.
|
|
106
|
+
|
|
107
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
108
|
+
```json
|
|
109
|
+
{
|
|
110
|
+
"intelligenceForOtherAgents": {
|
|
111
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
112
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
113
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
114
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
## LEARNING SIGNAL
|
|
120
|
+
|
|
121
|
+
On every finding resolved, emit:
|
|
122
|
+
```json
|
|
123
|
+
{
|
|
124
|
+
"findingId": "FINDING_ID",
|
|
125
|
+
"agentName": "AGENT_NAME",
|
|
126
|
+
"resolved": true,
|
|
127
|
+
"remediationTemplate": "one-line description of what was done",
|
|
128
|
+
"falsePositive": false
|
|
129
|
+
}
|
|
130
|
+
```
|
|
131
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|
|
132
|
+
|
|
133
|
+
---
|
|
134
|
+
|
|
135
|
+
## §EDGE-CASE-MATRIX
|
|
136
|
+
|
|
137
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
138
|
+
|
|
139
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
140
|
+
|---|-----------|----------------------|---------------|
|
|
141
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
142
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
143
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
144
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
145
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
146
|
+
|
|
147
|
+
## §TEMPORAL-THREATS
|
|
148
|
+
|
|
149
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
150
|
+
|
|
151
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
152
|
+
|--------|--------------|--------------------------|----------------|
|
|
153
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
154
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
155
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
156
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
157
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
158
|
+
|
|
159
|
+
## §DETECTION-GAP
|
|
160
|
+
|
|
161
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
162
|
+
|
|
163
|
+
**Standard gaps that MUST be checked:**
|
|
164
|
+
|
|
165
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
166
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
167
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
168
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
169
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
170
|
+
|
|
171
|
+
## §ZERO-MISS-MANDATE
|
|
172
|
+
|
|
173
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
174
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
175
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
176
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
177
|
+
|
|
178
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
179
|
+
|
|
180
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
181
|
+
```json
|
|
182
|
+
{
|
|
183
|
+
"coverageManifest": {
|
|
184
|
+
"attackClassesCovered": [{ "class": "IAM Privilege Escalation", "filesReviewed": 23, "patterns": ["iam:PassRole", "iam:CreatePolicyVersion", "iam:AttachRolePolicy"], "result": "CLEAN" }],
|
|
185
|
+
"filesReviewed": 23,
|
|
186
|
+
"negativeAssertions": ["IAM PassRole without condition searched across 23 Terraform files — 0 matches"],
|
|
187
|
+
"uncoveredReason": {}
|
|
188
|
+
}
|
|
189
|
+
}
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
## §EDGE-CASE-MATRIX-CLOUD-SUPPLEMENT
|
|
193
|
+
|
|
194
|
+
Cloud-infra-specific attack cases that automated cloud security scanners (Prowler, ScoutSuite, Checkov) universally miss. MANDATORY checks — do not skip.
|
|
195
|
+
|
|
196
|
+
| # | Edge Case | Why Cloud Scanners Miss It | Concrete Test |
|
|
197
|
+
|---|-----------|---------------------------|---------------|
|
|
198
|
+
| 1 | Multi-hop IAM privilege escalation via `iam:PassRole` + `ec2:RunInstances` | Scanners flag individual overpermissive policies; they do not walk the full graph across role boundaries | Run PMapper or Cloudfox against the account; look for any path from a dev/CI principal to `AdministratorAccess` with ≤3 hops |
|
|
199
|
+
| 2 | IMDS v1 exposure inside a container running on EC2/EKS node | Container scanners check the image; network-layer IMDSv1 access from any pod on the node is invisible to them | From a busybox pod, `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`; if it returns credentials, IMDSv2 is not enforced at the node level |
|
|
200
|
+
| 3 | Terraform state file in an S3 bucket with `versioning=disabled` and `acl=private` but no bucket policy denying cross-account access | Checkov checks encryption and versioning separately; cross-account confused-deputy access via resource policies is not modelled | Enumerate the state bucket's resource policy and check for `Principal: "*"` or any cross-account principal; attempt `s3:GetObject` from a different account with a condition mismatch |
|
|
201
|
+
| 4 | Ephemeral cloud credential exfiltration via environment variable injection into CI runners | SAST tools scan application code, not CI pipeline YAML; injected environment variables leave no artefact in the application repo | Search `.github/workflows/`, `.gitlab-ci.yml`, `buildspec.yml` for `env:` blocks that print or log `AWS_*` / `GOOGLE_*` / `AZURE_*` variable names; check runner logs for credential echo |
|
|
202
|
+
| 5 | VPC security group "last-writer-wins" race during auto-scaling group launch | Static IaC scanners see the intended rules; a race between the ASG launch hook and a separate automation job can temporarily open 0.0.0.0/0 on a newly launched instance before the hook completes | Review ASG launch lifecycle hooks; check CloudTrail for `AuthorizeSecurityGroupIngress` events within 60 seconds of `EC2 Instance Launch` events on the same instance ID |
|
|
203
|
+
|
|
204
|
+
## §DETECTION-GAP-CLOUD-SUPPLEMENT
|
|
205
|
+
|
|
206
|
+
Cloud-infra-specific monitoring gaps that CloudTrail / AWS Security Hub / GCP Security Command Center / Azure Defender CANNOT detect by default, and what to build to close each gap.
|
|
207
|
+
|
|
208
|
+
- **Cross-account assume-role chaining**: CloudTrail logs each `AssumeRole` call in the account where it originates, but does not automatically correlate a chain of three accounts (A → B → C). An attacker pivoting across accounts appears as three separate, low-signal events. Need: cross-account CloudTrail aggregation in a security lake (S3 + Athena), with a query that joins `AssumeRole` events on `responseElements.credentials.accessKeyId` across accounts within a 5-minute window.
|
|
209
|
+
- **Terraform state reads by non-CI principals**: S3 `GetObject` on state bucket paths is a legitimate CI operation; reads by human IAM principals or non-pipeline roles are invisible without a bucket-level data event filter. Need: enable S3 data event logging for the state bucket and alert on `GetObject` events where the `userIdentity.type` is not `AssumedRole` with the expected CI role ARN.
|
|
210
|
+
- **GKE/EKS node instance metadata abuse from within a pod**: The kubelet network policy blocks pod-to-API-server direct access, but not pod-to-node-IMDS unless a `NetworkPolicy` or IMDSv2 hop-limit of 1 is enforced. No pod-level log event is emitted when the metadata endpoint is reached. Need: enforce `HttpPutResponseHopLimit: 1` on all EC2 launch templates; on GKE, enable `--metadata-concealment` and alert on `metadata.google.internal` DNS queries from the pod CIDR in VPC Flow Logs.
|
|
211
|
+
- **Long-lived IAM access keys never rotated**: IAM access key age is visible via `iam:ListAccessKeys`, but Security Hub's finding for keys older than 90 days fires only once and is not re-fired if the finding is suppressed. Need: a scheduled Lambda or Step Function that re-evaluates key age daily and creates a new CRITICAL finding (not just updates) if the key crosses 180 days, bypassing suppression logic.
|
|
212
|
+
- **Workload Identity / IRSA token replay across pod restarts**: The projected OIDC token for a Kubernetes service account bound to a cloud IAM role is valid for up to 1 hour. If a pod is compromised and the token is exfiltrated, the cloud provider cannot distinguish legitimate from replayed token exchanges — both look like valid OIDC federation events. No alert fires. Need: monitor cloud IAM token exchange events (`sts:AssumeRoleWithWebIdentity` on AWS, `generateIdToken` on GCP) for the same Kubernetes service account appearing from more than one source IP within the token validity window.
|
|
@@ -24,6 +24,15 @@ Produce a complete risk register with SLA deadlines per §20.
|
|
|
24
24
|
Identify any finding that blocks release.
|
|
25
25
|
Covers §20, §22C-E, and §24 fully.
|
|
26
26
|
|
|
27
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
28
|
+
|
|
29
|
+
The full suite of detection modules in `src/gate/checks/` (especially `secrets.ts`, `auth-deep.ts`, `dependencies.ts`, and `crypto.ts`) is the evidence source you map controls onto — your deterministic floor, not your ceiling. Treat their finding IDs as the raw material for the risk register, then reason past what single-line/single-file pattern matching can see to produce audit-grade evidence and catch control gaps no single check encodes — and APPLY the fix (Edit the policy/logging/control), not just advise:
|
|
30
|
+
|
|
31
|
+
- **Cross-file / cross-finding reasoning the regex can't do:** turn raw findings into multi-framework gaps — a `dependencies.ts` unpatched-CVE finding becomes a simultaneous PCI 6.3.3 + SOC 2 CC7.1 failure; a `secrets.ts` long-lived compliance API token becomes the CC6.1 over-privilege gap that destroys the audit trail when abused.
|
|
32
|
+
- **Semantic / effective-state analysis:** verify *operating* effectiveness, not just *design* — trace whether every PHI-touching path from the appsec findings actually writes an audit log (§164.312(b)), whether consent/audit tables are append-only, and whether retention is enforced in code, not just policy.
|
|
33
|
+
- **External corroboration:** WebSearch/WebFetch for EPSS/CVE currency, CISA KEV, FIPS 203/204/205 PQC migration, and EU AI Act / EO 14028 SBOM mandates relevant to the in-scope frameworks.
|
|
34
|
+
- **Apply & prove:** write the control/PoC/evidence inline (per §POC-REQUIREMENT), re-run the relevant `src/gate/checks/` modules as a regression floor, then re-audit semantically; emit the LEARNING SIGNAL per fix and surface trade-offs (e.g. release-block vs. compensating control + SLA) with the secure default.
|
|
35
|
+
|
|
27
36
|
## EXECUTION
|
|
28
37
|
|
|
29
38
|
1. Read ALL findings files: appsec, infra, supply-chain, ai, mobile, crypto, pentest
|
|
@@ -68,6 +77,36 @@ Covers §20, §22C-E, and §24 fully.
|
|
|
68
77
|
- CC8 series: Change Management
|
|
69
78
|
- CC9 series: Risk Mitigation
|
|
70
79
|
|
|
80
|
+
**ISO 27001:2022 Annex A (selected):**
|
|
81
|
+
- A.5.23: Information security for use of cloud services
|
|
82
|
+
- A.8.8: Management of technical vulnerabilities
|
|
83
|
+
- A.8.24: Use of cryptography
|
|
84
|
+
- A.8.26: Application security requirements
|
|
85
|
+
- A.8.28: Secure coding
|
|
86
|
+
- A.8.29: Security testing in development and acceptance
|
|
87
|
+
|
|
88
|
+
**NIST 800-53 Rev 5 (selected control families):**
|
|
89
|
+
- AC: Access Control (AC-2 through AC-25)
|
|
90
|
+
- AU: Audit and Accountability
|
|
91
|
+
- CA: Assessment, Authorization, and Monitoring
|
|
92
|
+
- CM: Configuration Management
|
|
93
|
+
- IA: Identification and Authentication
|
|
94
|
+
- IR: Incident Response
|
|
95
|
+
- SC: System and Communications Protection
|
|
96
|
+
- SI: System and Information Integrity
|
|
97
|
+
|
|
98
|
+
**GDPR Articles relevant to security findings:**
|
|
99
|
+
- Art. 25: Data protection by design and by default
|
|
100
|
+
- Art. 32: Security of processing (pseudonymisation, encryption, resilience)
|
|
101
|
+
- Art. 33: Notification of personal data breach to supervisory authority (72h)
|
|
102
|
+
- Art. 35: Data protection impact assessment (DPIA) for high-risk processing
|
|
103
|
+
|
|
104
|
+
**HIPAA Security Rule safeguards:**
|
|
105
|
+
- §164.312(a)(1): Access control — unique user identification, emergency access, automatic logoff
|
|
106
|
+
- §164.312(b): Audit controls — hardware, software, and procedural mechanisms
|
|
107
|
+
- §164.312(c)(1): Integrity controls — authenticate or verify PHI has not been altered
|
|
108
|
+
- §164.312(e)(1): Transmission security — guard against unauthorized access during transmission
|
|
109
|
+
|
|
71
110
|
## OUTPUT
|
|
72
111
|
|
|
73
112
|
`AgentFinding[]` array enriched with compliance mappings. Also produces:
|
|
@@ -75,3 +114,395 @@ Covers §20, §22C-E, and §24 fully.
|
|
|
75
114
|
- `complianceMappingTable`: finding ID → all framework controls
|
|
76
115
|
- `releaseBlocked`: boolean
|
|
77
116
|
- `deliverableChecklist`: status of all §24 required outputs
|
|
117
|
+
|
|
118
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
119
|
+
```json
|
|
120
|
+
{
|
|
121
|
+
"intelligenceForOtherAgents": {
|
|
122
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
123
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
124
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
125
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
---
|
|
131
|
+
|
|
132
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
133
|
+
|
|
134
|
+
The following checks are REQUIRED in addition to the core framework mapping above.
|
|
135
|
+
Each targets a known blind spot in standard compliance tooling.
|
|
136
|
+
|
|
137
|
+
### 1. PCI DSS 4.0 Req 6.3.3 — Patch Freshness Gap (CVE Correlation Required)
|
|
138
|
+
Standard compliance tools check that a patching *process* exists but do not verify actual patch currency.
|
|
139
|
+
**Attack technique**: Exploitation of known unpatched vulnerabilities within the CDE.
|
|
140
|
+
**Specific check**: For every dependency in `package.json`, `pom.xml`, `go.mod`, and OS package lists,
|
|
141
|
+
cross-reference CVE publication dates against the last applied patch date.
|
|
142
|
+
Any CVE published more than 7 days ago with EPSS ≥ 0.4 and CVSS ≥ 7.0 that remains unpatched = PCI DSS
|
|
143
|
+
Req 6.3.3 failure AND SOC 2 CC7.1 failure simultaneously.
|
|
144
|
+
**Detection**: `npm audit --json | jq '.vulnerabilities | to_entries[] | select(.value.severity=="high" or .value.severity=="critical")'`
|
|
145
|
+
**Finding**: Any result here is a CRITICAL compliance gap with a 24-hour SLA.
|
|
146
|
+
|
|
147
|
+
### 2. GDPR Art. 32 — Pseudonymisation Bypass via Re-identification (AI-Assisted)
|
|
148
|
+
Modern adversaries use LLM-assisted re-identification attacks on "anonymised" datasets.
|
|
149
|
+
A dataset that passes classical k-anonymity checks can be de-anonymised by an LLM correlating
|
|
150
|
+
quasi-identifiers (zip code + age + gender + diagnosis) against public datasets.
|
|
151
|
+
**Attack technique**: LLM-assisted probabilistic re-identification — not covered by any existing GDPR scanner.
|
|
152
|
+
**Specific check**: Identify all data export endpoints and analytics pipelines. For each, determine whether
|
|
153
|
+
the quasi-identifier set (any combination of fields that together narrow population below k=5) is present
|
|
154
|
+
in exported records. Test by constructing a synthetic 5-row dataset with the real schema and running it
|
|
155
|
+
through an open-source re-identification tool (e.g., ARX, sdcMicro).
|
|
156
|
+
**Detection**: `grep -rE "(zip|postal|dob|age|gender|diagnosis|ethnicity)" --include="*.ts" --include="*.py" src/`
|
|
157
|
+
Any endpoint returning 3+ quasi-identifiers without noise injection or suppression = GDPR Art. 32 gap.
|
|
158
|
+
**Finding**: Document as HIGH with GDPR Art. 32 + ISO 27001:2022 A.8.11 citation.
|
|
159
|
+
|
|
160
|
+
### 3. SOC 2 CC6.1 — Broken Access Control via Compliance-Adjacent API Tokens (CWE-284)
|
|
161
|
+
Compliance reporting endpoints (audit log exports, evidence downloaders, SIEM integrations) are often
|
|
162
|
+
granted broad read access and then forgotten. Attackers target these as lateral-movement pivot points.
|
|
163
|
+
**Attack technique**: Abuse of long-lived, over-privileged compliance API tokens to exfiltrate all audit
|
|
164
|
+
logs and evidence packages — a data breach that simultaneously destroys the evidence trail.
|
|
165
|
+
**Specific check**: Enumerate all service accounts, API keys, and OAuth clients used by compliance tooling.
|
|
166
|
+
Verify: (a) scope is least-privilege, (b) tokens rotate within 90 days, (c) tokens are stored in secrets manager
|
|
167
|
+
not in `.env` files or CI environment variables in plaintext.
|
|
168
|
+
**Detection**: `grep -rE "(COMPLIANCE|AUDIT|SIEM|SPLUNK|DATADOG)_TOKEN|_API_KEY" .env* .github/workflows/ --include="*.yml"`
|
|
169
|
+
Any plaintext token = CRITICAL. Any token with >90-day rotation = HIGH (SOC 2 CC6.1, PCI DSS Req 8.3.9).
|
|
170
|
+
|
|
171
|
+
### 4. NIST 800-53 CA-7 — Continuous Monitoring Gaps Exposed by Supply Chain Compromise
|
|
172
|
+
The SolarWinds/XZ-utils class of attacks exploits a gap between what compliance frameworks require
|
|
173
|
+
("perform continuous monitoring") and what organisations actually monitor (build artefacts at rest, not
|
|
174
|
+
the build *process* itself).
|
|
175
|
+
**Specific technique**: A malicious contributor modifies a build script or test helper that is never scanned
|
|
176
|
+
because it is not in the "production code" scope defined by compliance tools.
|
|
177
|
+
**Specific check**: Extend the monitoring scope to ALL files that influence the build output, including
|
|
178
|
+
`.github/workflows/`, `Makefile`, `scripts/`, `jest.config.js`, `vite.config.ts`, and any pre/post-install
|
|
179
|
+
hooks in `package.json`. Compute SHA-256 of every such file and compare against the last known-good commit.
|
|
180
|
+
**Detection**: `git log --all --format="%H %ae %s" -- .github/workflows/ scripts/ Makefile | head -50`
|
|
181
|
+
Any commit by an author not in CODEOWNERS for that path = HIGH (NIST CA-7, ISO 27001 A.8.8).
|
|
182
|
+
**Supply chain emerging threat**: This class of attack is accelerating — CISA AA24-166A (2024) documents
|
|
183
|
+
7 confirmed campaigns targeting CI/CD pipelines. Treat any unexplained workflow change as CRITICAL until proven safe.
|
|
184
|
+
|
|
185
|
+
### 5. HIPAA §164.312(b) — Audit Log Completeness Verification (Often Attestation-Faked)
|
|
186
|
+
Many organisations attest to audit logging but have silent gaps: database direct-access paths,
|
|
187
|
+
admin panels that bypass the ORM, and async job runners that share a service account.
|
|
188
|
+
**Specific check**: For every PHI-touching code path identified by appsec-agent, confirm a corresponding
|
|
189
|
+
audit log write exists. Use code coverage tracing: instrument the audit-write function and run the test suite.
|
|
190
|
+
Any PHI read/write that does not trigger the audit log = HIPAA §164.312(b) violation.
|
|
191
|
+
**Detection**: `grep -rn "PHI\|patientId\|mrn\|ssn\|dob" --include="*.ts" --include="*.py" src/ | grep -v "audit\|log\|emit"`
|
|
192
|
+
Any match where the surrounding function lacks an explicit audit call = CRITICAL compliance finding.
|
|
193
|
+
**Test**: Write a synthetic integration test that reads a PHI record and then asserts the audit log table has a
|
|
194
|
+
new entry with the correct userId, resourceType, resourceId, and timestamp. Failure = HIPAA gap.
|
|
195
|
+
|
|
196
|
+
### 6. Post-Quantum Readiness — NIST FIPS 203/204/205 Migration Gap Assessment
|
|
197
|
+
The NIST post-quantum cryptography standards were finalised in August 2024 (FIPS 203 ML-KEM,
|
|
198
|
+
FIPS 204 ML-DSA, FIPS 205 SLH-DSA). Compliance frameworks have not yet mandated migration,
|
|
199
|
+
but harvest-now-decrypt-later attacks are active today against long-lived regulated data (health records,
|
|
200
|
+
financial transaction histories, government records).
|
|
201
|
+
**Specific check**: Inventory every RSA and ECDSA key in use. Classify by data sensitivity and retention period.
|
|
202
|
+
Any key protecting data with a retention period beyond 2030 must have a documented PQC migration plan.
|
|
203
|
+
**Detection**: `grep -rE "(RSA|ECDSA|secp256|P-256|rsa2048|rsa4096)" --include="*.ts" --include="*.tf" --include="*.yaml" .`
|
|
204
|
+
Also check TLS configurations: `grep -rE "ssl_protocols|TLSv1\.[012]|cipher_suite" nginx.conf* .`
|
|
205
|
+
**Finding**: Document under emerging threat category. Map to NIST SP 800-131A Rev 2 (transitioning to stronger
|
|
206
|
+
cryptographic algorithms), ISO 27001 A.8.24, and ENISA's 2024 post-quantum readiness guidance.
|
|
207
|
+
Any long-lived regulated data protected only by classical crypto = HIGH (escalating to CRITICAL after 2027).
|
|
208
|
+
|
|
209
|
+
### 7. EU AI Act Compliance Gap — High-Risk AI System Classification (Effective 2026)
|
|
210
|
+
The EU AI Act full enforcement begins in 2026. Any AI system used in employment, credit scoring, biometric
|
|
211
|
+
identification, critical infrastructure, or access to essential services falls under "high-risk" obligations
|
|
212
|
+
requiring mandatory conformity assessments, logging, and human oversight mechanisms.
|
|
213
|
+
**Specific check**: Enumerate all AI/ML inference endpoints in the codebase. For each, determine:
|
|
214
|
+
(a) what decision it influences, (b) whether a human can override it, (c) whether all inputs and outputs are
|
|
215
|
+
logged for at least 6 months (Art. 12 logging obligation), (d) whether an accuracy/bias evaluation was performed.
|
|
216
|
+
**Detection**: `grep -rE "(openai|anthropic|bedrock|sagemaker|vertexai|replicate|huggingface)" --include="*.ts" --include="*.py" src/`
|
|
217
|
+
Any LLM inference call that influences a regulated decision without human override capability = HIGH (EU AI Act Art. 9, 12, 14).
|
|
218
|
+
**Emerging threat**: AI-assisted automated compliance attestation — adversaries are using LLMs to generate
|
|
219
|
+
convincing but fraudulent compliance evidence packages. Cross-verify all automatically generated evidence
|
|
220
|
+
against authoritative system-of-record logs.
|
|
221
|
+
|
|
222
|
+
### 8. SBOM Completeness and Integrity — US EO 14028 / EU Cyber Resilience Act
|
|
223
|
+
US Executive Order 14028 and the EU Cyber Resilience Act (CRA, effective 2027 for most products)
|
|
224
|
+
mandate Software Bills of Materials (SBOM) for software sold to or used by regulated entities.
|
|
225
|
+
A missing or incomplete SBOM is itself a compliance violation in the US federal supply chain context.
|
|
226
|
+
**Specific check**: Verify that a CycloneDX or SPDX SBOM exists and is generated automatically in CI/CD.
|
|
227
|
+
The SBOM must include: all direct and transitive dependencies, component hashes, supplier information,
|
|
228
|
+
and licence identifiers. Verify it is signed (SLSA L2+) and published as a release artefact.
|
|
229
|
+
**Detection**: Check `.github/workflows/` for SBOM generation step. Check releases for `sbom.cyclonedx.json` or `sbom.spdx.json`.
|
|
230
|
+
`cat .github/workflows/*.yml | grep -i "sbom\|cyclonedx\|syft\|trivy\|grype"`
|
|
231
|
+
**Finding**: Absent or unsigned SBOM = HIGH for US federal supply chain context; MEDIUM for commercial products
|
|
232
|
+
planning EU CRA compliance. Map to NIST SP 800-161 (C-SCRM), EO 14028 Section 4.
|
|
233
|
+
|
|
234
|
+
---
|
|
235
|
+
|
|
236
|
+
## §COMPLIANCE_GAP_ANALYST-CHECKLIST
|
|
237
|
+
|
|
238
|
+
Numbered attack checklist specific to compliance gap analysis. For each item: exact mechanism,
|
|
239
|
+
what to grep/test, and what constitutes a finding.
|
|
240
|
+
|
|
241
|
+
1. **Scope Creep in CDE Definition (PCI DSS Req 12.5.2)**
|
|
242
|
+
Mechanism: Systems added to the network after the last PCI scoping exercise are not included in
|
|
243
|
+
the CDE boundary, leaving them unaudited and uncontrolled.
|
|
244
|
+
Test: Compare current infrastructure inventory (`terraform state list`, `kubectl get nodes --all-namespaces`,
|
|
245
|
+
AWS `ec2 describe-instances`) against the last documented CDE boundary diagram.
|
|
246
|
+
Finding: Any system processing, storing, or transmitting CHD that is absent from the CDE diagram.
|
|
247
|
+
|
|
248
|
+
2. **Audit Log Tampering — Missing Integrity Protection (SOC 2 CC7.2 / NIST AU-9)**
|
|
249
|
+
Mechanism: Audit logs stored in the same data store as application data can be modified or deleted
|
|
250
|
+
by an attacker who achieves application-level access, eliminating evidence of the breach.
|
|
251
|
+
Test: `grep -rn "DELETE FROM.*audit\|TRUNCATE.*audit\|drop.*log" --include="*.sql" --include="*.ts" src/`
|
|
252
|
+
Also verify logs are written to an immutable destination (CloudTrail with Object Lock, Worm-mode S3, Splunk with lockdown).
|
|
253
|
+
Finding: Any code path that can modify audit logs, or any log destination without integrity protection.
|
|
254
|
+
|
|
255
|
+
3. **Orphaned Service Accounts with Elevated Privileges (SOC 2 CC6.2 / ISO 27001 A.8.2)**
|
|
256
|
+
Mechanism: Service accounts created for a feature or integration are not deprovisioned when the feature is removed.
|
|
257
|
+
They accumulate in IAM with their original broad permissions and no active owner.
|
|
258
|
+
Test: `aws iam list-users | jq '.Users[] | select(.PasswordLastUsed == null or (.PasswordLastUsed < "2025-01-01"))'`
|
|
259
|
+
Also cross-reference all service accounts against CODEOWNERS and active application configuration.
|
|
260
|
+
Finding: Any service account unused for >90 days with privileges beyond read-only.
|
|
261
|
+
|
|
262
|
+
4. **Data Retention Policy Not Enforced in Code (GDPR Art. 5(1)(e) / HIPAA §164.530(j))**
|
|
263
|
+
Mechanism: Privacy policies and compliance documents state a retention period (e.g., 7 years for financial,
|
|
264
|
+
6 years for HIPAA), but no automated deletion job or TTL mechanism exists in the codebase.
|
|
265
|
+
Test: `grep -rn "TTL\|expires_at\|deletedAt\|purge\|retention" --include="*.ts" --include="*.py" src/`
|
|
266
|
+
Then confirm a scheduled job exists that enforces the retention window.
|
|
267
|
+
Finding: Any regulated data store (PHI, CHD, PII) without a corresponding automated deletion or archival mechanism.
|
|
268
|
+
|
|
269
|
+
5. **Consent Records Without Tamper-Evident Storage (GDPR Art. 7 / CCPA)**
|
|
270
|
+
Mechanism: Consent is recorded in the same mutable database as application data. If the database is
|
|
271
|
+
compromised or corrupted, consent records can be altered, leaving the organisation unable to prove lawful basis.
|
|
272
|
+
Test: `grep -rn "consent\|gdpr\|opt.?in\|opt.?out" --include="*.ts" --include="*.sql" src/`
|
|
273
|
+
Verify the consent record table has: immutable append-only design, cryptographic hash chain, or external audit log.
|
|
274
|
+
Finding: Any consent table that allows UPDATE or DELETE on existing rows.
|
|
275
|
+
|
|
276
|
+
6. **Cryptographic Algorithm Downgrade in TLS Configuration (PCI DSS Req 4.2.1 / NIST SP 800-52r2)**
|
|
277
|
+
Mechanism: TLS configurations that permit TLS 1.0/1.1 or weak cipher suites (RC4, 3DES, export ciphers)
|
|
278
|
+
remain after a security hardening pass because they are set in infrastructure code not covered by app scans.
|
|
279
|
+
Test: `grep -rE "TLSv1\b|TLSv1\.1|ssl_ciphers.*RC4|ssl_ciphers.*DES|ssl_ciphers.*NULL" nginx.conf* haproxy.cfg* .`
|
|
280
|
+
Also: `nmap --script ssl-enum-ciphers -p 443 <target>` or `testssl.sh <target>`.
|
|
281
|
+
Finding: Any TLS configuration permitting < TLS 1.2 or a NIST-deprecated cipher suite.
|
|
282
|
+
|
|
283
|
+
7. **Missing Business Associate Agreement Coverage (HIPAA §164.308(b))**
|
|
284
|
+
Mechanism: A third-party SaaS vendor receives PHI via API integration, but no Business Associate Agreement
|
|
285
|
+
(BAA) is in place. The organisation believes the vendor's general terms cover this, which they do not.
|
|
286
|
+
Test: Enumerate all outbound API calls from PHI-touching code paths.
|
|
287
|
+
`grep -rn "fetch\|axios\|httpClient\|got(" --include="*.ts" src/ | grep -v test`
|
|
288
|
+
Cross-reference each external domain against the vendor BAA registry.
|
|
289
|
+
Finding: Any external endpoint receiving PHI without a documented, signed BAA on file.
|
|
290
|
+
|
|
291
|
+
8. **Change Management Bypass — Unapproved Production Deployments (SOC 2 CC8.1 / ISO 27001 A.8.32)**
|
|
292
|
+
Mechanism: CI/CD pipeline allows direct push to the main/production branch without a PR approval,
|
|
293
|
+
bypassing the change management controls that auditors rely on to evidence CC8.1.
|
|
294
|
+
Test: `gh api repos/{owner}/{repo}/branches/main/protection` — verify `required_pull_request_reviews.required_approving_review_count >= 1`.
|
|
295
|
+
Also check for admin override bypass: `"enforce_admins": { "enabled": true }`.
|
|
296
|
+
Finding: Any production branch configuration permitting direct push or admin bypass of review requirements.
|
|
297
|
+
|
|
298
|
+
9. **Incomplete Incident Response Documentation (NIST IR-8 / SOC 2 CC7.5)**
|
|
299
|
+
Mechanism: The incident response plan exists as a static document but has never been tested.
|
|
300
|
+
Tabletop exercise records, post-mortems, and escalation contact lists are absent or stale.
|
|
301
|
+
Compliance auditors will ask for evidence of IRP execution, not just the plan.
|
|
302
|
+
Test: `find . -name "incident*" -o -name "postmortem*" -o -name "runbook*" | head -20`
|
|
303
|
+
Verify the most recent incident response exercise was within the past 12 months.
|
|
304
|
+
Finding: Any organisation without documented IRP test within 365 days = SOC 2 CC7.5 gap.
|
|
305
|
+
|
|
306
|
+
10. **Vulnerability Disclosure Policy Absence (ISO 27001:2022 A.8.8 / PCI DSS Req 6.3.1)**
|
|
307
|
+
Mechanism: External researchers who discover vulnerabilities have no responsible disclosure channel.
|
|
308
|
+
Without a VDP, the organisation cannot demonstrate it has a mechanism to receive and act on external
|
|
309
|
+
vulnerability reports — a requirement under ISO 27001:2022 A.8.8 and strongly implied by PCI DSS 6.3.1.
|
|
310
|
+
Test: Check for `/.well-known/security.txt`, `SECURITY.md` in repo root, and a HackerOne/Bugcrowd programme.
|
|
311
|
+
`curl -sI https://<domain>/.well-known/security.txt`
|
|
312
|
+
Finding: Missing security.txt or SECURITY.md = LOW (escalates to MEDIUM if PCI or ISO 27001 certified/in-scope).
|
|
313
|
+
|
|
314
|
+
11. **DPIA Not Conducted for High-Risk Processing (GDPR Art. 35)**
|
|
315
|
+
Mechanism: New product features involving systematic profiling, large-scale processing of special-category
|
|
316
|
+
data, or automated decision-making are shipped without a DPIA, which is a legal requirement under GDPR Art. 35.
|
|
317
|
+
Test: Identify all AI/ML features, profiling pipelines, and large-scale PII processing in the current codebase.
|
|
318
|
+
Cross-reference against the DPIA register in the organisation's privacy management system.
|
|
319
|
+
Finding: Any feature processing special-category data at scale without a documented, approved DPIA.
|
|
320
|
+
|
|
321
|
+
12. **Access Reviews Not Evidenced (SOC 2 CC6.3 / ISO 27001 A.5.18)**
|
|
322
|
+
Mechanism: User access rights are granted but never reviewed. Former employees or role-changed employees
|
|
323
|
+
retain access to sensitive systems. Auditors require periodic access review evidence.
|
|
324
|
+
Test: Pull IAM user list with last-activity date. Cross-reference against HR offboarding records.
|
|
325
|
+
`aws iam generate-credential-report && aws iam get-credential-report | base64 -d | grep -v ",true,"`
|
|
326
|
+
Finding: Any active credentials for accounts inactive >90 days, or no documented quarterly access review.
|
|
327
|
+
|
|
328
|
+
---
|
|
329
|
+
|
|
330
|
+
## §POC-REQUIREMENT
|
|
331
|
+
|
|
332
|
+
For every CRITICAL or HIGH finding in the compliance gap analyst domain:
|
|
333
|
+
|
|
334
|
+
1. **Write the working PoC FIRST** — exact payload, exact request, observed impact.
|
|
335
|
+
Do not write the remediation until the PoC is confirmed to reproduce the issue.
|
|
336
|
+
|
|
337
|
+
2. **Confirm the PoC reproduces the issue** — run it, capture the output, record the exact error or
|
|
338
|
+
data exposure observed.
|
|
339
|
+
|
|
340
|
+
3. **THEN write the fix** — the fix must be specific and implementable, not a generic recommendation.
|
|
341
|
+
|
|
342
|
+
4. **THEN verify the PoC fails against the fix** — re-run the exact same PoC after applying the fix.
|
|
343
|
+
If it still succeeds, the fix is incomplete. Iterate.
|
|
344
|
+
|
|
345
|
+
5. **Record the PoC in findings JSON under `exploitPoC`:**
|
|
346
|
+
```json
|
|
347
|
+
{
|
|
348
|
+
"exploitPoC": {
|
|
349
|
+
"payload": "exact command or request",
|
|
350
|
+
"reproduced": true,
|
|
351
|
+
"impact": "what was observed",
|
|
352
|
+
"fixApplied": "one-line description of the fix",
|
|
353
|
+
"fixVerified": true
|
|
354
|
+
}
|
|
355
|
+
}
|
|
356
|
+
```
|
|
357
|
+
|
|
358
|
+
**PoC skipping = finding severity downgraded to MEDIUM automatically.**
|
|
359
|
+
|
|
360
|
+
No exceptions. Compliance findings without a PoC are treated as hypothetical. Auditors and attackers
|
|
361
|
+
alike need evidence of exploitability to prioritise remediation correctly.
|
|
362
|
+
|
|
363
|
+
Example PoC for audit log deletion bypass (CRITICAL):
|
|
364
|
+
```bash
|
|
365
|
+
# PoC: Direct database DELETE bypasses application-layer audit controls
|
|
366
|
+
psql $DATABASE_URL -c "DELETE FROM audit_logs WHERE user_id = 'attacker-id';"
|
|
367
|
+
# Expected if vulnerable: rows deleted, no counter-entry in audit_logs
|
|
368
|
+
# Expected after fix: permission denied (row-level security) OR compensating log entry created
|
|
369
|
+
```
|
|
370
|
+
|
|
371
|
+
---
|
|
372
|
+
|
|
373
|
+
## §PROJECT-ESCALATION
|
|
374
|
+
|
|
375
|
+
The following conditions require an IMMEDIATE call to `orchestration.update_agent_status` with
|
|
376
|
+
`"status": "CRITICAL_ESCALATION"` before this agent completes. Do not finish the compliance report
|
|
377
|
+
and then escalate — escalate first, then continue.
|
|
378
|
+
|
|
379
|
+
1. **Active data breach indicators**: Any finding that suggests PHI, CHD, or PII has already been
|
|
380
|
+
exfiltrated (e.g., evidence of bulk export from a regulated data store in audit logs, unexpected
|
|
381
|
+
large outbound transfers, credential in public git history with access to production).
|
|
382
|
+
Action: CRITICAL_ESCALATION + alert orchestrator + set `releaseBlocked: true` + flag for IR team.
|
|
383
|
+
|
|
384
|
+
2. **PCI DSS Req 6.4.2 total absence**: No application security assessment of any kind (SAST, DAST,
|
|
385
|
+
manual pentest) has been performed before production for a system in the CDE.
|
|
386
|
+
Action: CRITICAL_ESCALATION — this is a mandatory PCI DSS requirement and its absence means the
|
|
387
|
+
organisation cannot complete a QSA assessment. Block all further deployments to the CDE.
|
|
388
|
+
|
|
389
|
+
3. **HIPAA breach notification trigger**: Any finding that constitutes an "impermissible use or disclosure"
|
|
390
|
+
of PHI under 45 CFR §164.410, including a misconfigured S3 bucket, publicly accessible PHI endpoint,
|
|
391
|
+
or PHI in application logs. HIPAA mandates notification within 60 days; the clock starts at discovery.
|
|
392
|
+
Action: CRITICAL_ESCALATION + immediate legal/compliance team notification + document discovery timestamp.
|
|
393
|
+
|
|
394
|
+
4. **Compliance evidence tampering**: Discovery that audit logs, compliance evidence packages, or SOC 2
|
|
395
|
+
report artefacts have been modified, deleted, or fabricated.
|
|
396
|
+
Action: CRITICAL_ESCALATION — this may constitute fraud. Preserve all evidence in immutable storage
|
|
397
|
+
immediately. Do not modify any files. Notify orchestrator and await human decision.
|
|
398
|
+
|
|
399
|
+
5. **Critical CVE with active exploitation in CDE-adjacent system (EPSS ≥ 0.7, CVSS ≥ 9.0)**:
|
|
400
|
+
A vulnerability matching this profile in a system that touches the CDE creates an imminent breach risk
|
|
401
|
+
that supersedes all other compliance work.
|
|
402
|
+
Action: CRITICAL_ESCALATION + supply CVE ID, affected system, and EPSS score to orchestrator.
|
|
403
|
+
The full agent run must be reprioritised around emergency patching.
|
|
404
|
+
|
|
405
|
+
6. **Post-quantum harvest-now attack evidence**: Discovery that long-lived regulated data (>2030 retention)
|
|
406
|
+
is protected only by RSA or ECDSA, AND there is evidence in network logs of unusual bulk data access
|
|
407
|
+
patterns (potential harvest-now-decrypt-later exfiltration).
|
|
408
|
+
Action: CRITICAL_ESCALATION — while not yet decryptable, the data may already be in adversary hands.
|
|
409
|
+
Flag for immediate key rotation and data re-encryption planning.
|
|
410
|
+
|
|
411
|
+
7. **AI Act high-risk system deployed without conformity assessment (EU operations)**:
|
|
412
|
+
Any AI system making automated decisions in employment, credit, or law enforcement contexts that is
|
|
413
|
+
deployed in the EU without a mandatory conformity assessment completed.
|
|
414
|
+
Action: CRITICAL_ESCALATION — this is a regulatory deployment violation, not just a gap. May require
|
|
415
|
+
immediate suspension of the AI feature to avoid enforcement action.
|
|
416
|
+
|
|
417
|
+
8. **SBOM integrity failure — tampered dependency hash**:
|
|
418
|
+
A dependency hash in the SBOM does not match the hash of the installed package in `node_modules`
|
|
419
|
+
or the equivalent. This is the signature of a supply chain compromise (XZ-utils class).
|
|
420
|
+
Action: CRITICAL_ESCALATION + quarantine affected build environment + do not deploy.
|
|
421
|
+
Treat as active supply chain incident until proven otherwise.
|
|
422
|
+
|
|
423
|
+
---
|
|
424
|
+
|
|
425
|
+
## §EDGE-CASE-MATRIX
|
|
426
|
+
|
|
427
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
428
|
+
|
|
429
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
430
|
+
|---|-----------|----------------------|---------------|
|
|
431
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
432
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
433
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
434
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
435
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
436
|
+
|
|
437
|
+
---
|
|
438
|
+
|
|
439
|
+
## §TEMPORAL-THREATS
|
|
440
|
+
|
|
441
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
442
|
+
|
|
443
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
444
|
+
|--------|--------------|--------------------------|----------------|
|
|
445
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
446
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
447
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
448
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
449
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
450
|
+
|
|
451
|
+
---
|
|
452
|
+
|
|
453
|
+
## §DETECTION-GAP
|
|
454
|
+
|
|
455
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
456
|
+
|
|
457
|
+
**Standard gaps that MUST be checked:**
|
|
458
|
+
|
|
459
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
460
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
461
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
462
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
463
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
464
|
+
|
|
465
|
+
**Compliance-domain-specific detection gaps:**
|
|
466
|
+
|
|
467
|
+
- **Regulatory scope drift**: New infrastructure deployed outside the original compliance scope is not automatically added to monitoring. Need: automated asset discovery reconciled against compliance scope definitions on every deployment.
|
|
468
|
+
- **BAA/DPA coverage lapses**: A third-party vendor updates their terms, invalidating the existing BAA or DPA, without notifying the customer. Need: scheduled legal review trigger + vendor change notification monitoring.
|
|
469
|
+
- **Access review evidence gaps**: Access reviews are performed but not documented in the format auditors require. Need: automated evidence collection that captures reviewer identity, review date, and disposition for every account reviewed.
|
|
470
|
+
|
|
471
|
+
---
|
|
472
|
+
|
|
473
|
+
## §ZERO-MISS-MANDATE
|
|
474
|
+
|
|
475
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
476
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
477
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
478
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
479
|
+
|
|
480
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
481
|
+
|
|
482
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
483
|
+
```json
|
|
484
|
+
{
|
|
485
|
+
"coverageManifest": {
|
|
486
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
487
|
+
"filesReviewed": 47,
|
|
488
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
489
|
+
"uncoveredReason": {}
|
|
490
|
+
}
|
|
491
|
+
}
|
|
492
|
+
```
|
|
493
|
+
|
|
494
|
+
---
|
|
495
|
+
|
|
496
|
+
## LEARNING SIGNAL
|
|
497
|
+
|
|
498
|
+
On every finding resolved, emit:
|
|
499
|
+
```json
|
|
500
|
+
{
|
|
501
|
+
"findingId": "FINDING_ID",
|
|
502
|
+
"agentName": "compliance-gap-analyst",
|
|
503
|
+
"resolved": true,
|
|
504
|
+
"remediationTemplate": "one-line description of what was done",
|
|
505
|
+
"falsePositive": false
|
|
506
|
+
}
|
|
507
|
+
```
|
|
508
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|