Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @Coding-Autopilot-System/core
10 changes: 10 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
groups:
github-actions:
patterns:
- "*"
13 changes: 7 additions & 6 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# Summary
## Description
<!-- Describe your changes -->

## Checklist
- [ ] Docs updated
- [ ] Diagrams updated
- [ ] Evidence links updated
- [ ] Security impact assessed
## SDLC Verification
- [ ] Code follows CAS architecture (`AGENTS.md`)
- [ ] Tested via `gsd-verify-work`
- [ ] No embedded secrets or credentials
- [ ] Passed `gsd-code-review`
29 changes: 29 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: "CodeQL"
on:
push:
branches: [ "main", "master" ]
pull_request:
branches: [ "main", "master" ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
36 changes: 36 additions & 0 deletions .github/workflows/pages.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Deploy Pages
on:
push:
branches:
- main
- master
Comment on lines +3 to +6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid adding a second Pages deploy on main pushes

On main, this new workflow is triggered by the same event as the existing Pages workflow in .github/workflows/static.yml, and both upload/deploy to the github-pages environment with the same pages concurrency group. When a push lands, whichever workflow runs last can overwrite the other artifact (docs vs ./site), so the published site can flip between the old static HTML and the MkDocs build; remove or retarget one of the deploy workflows.

Useful? React with 👍 / 👎.

permissions:
contents: read
pages: write
id-token: write
concurrency:
group: "pages"
cancel-in-progress: false
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: 3.x
- run: pip install mkdocs-material
- run: mkdocs build
- uses: actions/upload-pages-artifact@v3
with:
path: ./site
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
needs: build
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
15 changes: 15 additions & 0 deletions .github/workflows/pr-lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: "PR Lint"
on:
pull_request_target:
types:
- opened
- edited
- synchronize
jobs:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
15 changes: 15 additions & 0 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: "Close stale issues and PRs"
on:
schedule:
- cron: "30 1 * * *"
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v8
with:
days-before-stale: 60
days-before-close: 7
stale-issue-message: "This issue is stale because it has been open 60 days with no activity."
stale-pr-message: "This PR is stale because it has been open 60 days with no activity."
operations-per-run: 50
14 changes: 14 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-merge-conflict
- id: check-yaml
- id: check-json
- id: check-added-large-files
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.2
hooks:
- id: gitleaks
3 changes: 3 additions & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Context

See the root workspace [AGENTS.md](../../AGENTS.md).
33 changes: 33 additions & 0 deletions CLAUDE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# cloud-security-service-model

Enterprise cloud security operating model documentation — a comprehensive, audit-ready security framework for Azure hybrid environments. This is a **docs-only repo** (Markdown, Mermaid diagrams, HTML). No application code.

## What's Here

| Directory | Content |
|---|---|
| `docs/01–19` | Core service model docs: definition, catalog, architecture principles, governance, metrics, operating model, incident response, vulnerability management, access management, data protection, DevSecOps |
| `docs/20-runbooks/` | Operational runbooks (incident triage, vuln response, policy drift, break-glass access, Sentinel tuning) |
| `docs/21-templates/` | Reusable templates (change request, exception, incident report, postmortem, KPI dashboard) |
| `docs/22-diagrams/` | Mermaid source files for all architecture and process diagrams |
| `agile/` | Sprint ceremonies, backlog, OKRs, KPI cadence |
| `impl/azure/sentinel/` | Sentinel playbook examples |

## Conventions

- All diagrams are Mermaid (`.mmd` files in `docs/22-diagrams/`) — they render natively in GitHub
- Template files use `template-` prefix in `docs/21-templates/`
- Runbook files use `rbk-NNN-` prefix
- No code, no builds, no test suites — pure documentation
- `.editorconfig` enforces consistent whitespace

## Editing Rules

- Keep docs enterprise-grade in tone — no toy/demo language
- Update diagrams alongside prose when process flows change
- Run markdownlint (`npx markdownlint-cli docs/`) before committing
- All PRs should use `.github/pull_request_template.md`

## GSD Workflow

Use `/gsd:quick` for doc edits. For large restructures, use `/gsd:plan-phase`.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# cloud-security-service-model

[![CI](https://github.com/Coding-Autopilot-System/cloud-security-service-model/actions/workflows/ci.yml/badge.svg)](https://github.com/Coding-Autopilot-System/cloud-security-service-model/actions/workflows/ci.yml) [![CodeQL](https://github.com/Coding-Autopilot-System/cloud-security-service-model/actions/workflows/codeql.yml/badge.svg)](https://github.com/Coding-Autopilot-System/cloud-security-service-model/actions/workflows/codeql.yml)
Comment thread
OgeonX-Ai marked this conversation as resolved.


[![CI](https://github.com/Coding-Autopilot-System/cloud-security-service-model/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/Coding-Autopilot-System/cloud-security-service-model/actions/workflows/ci.yml)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)

Expand Down
2 changes: 2 additions & 0 deletions docs/02-service-catalog.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Service Catalog

## Core services

| Service | Description | Owner | Key Outputs |
| --- | --- | --- | --- |
| Policy-as-Code | Baseline policies and initiatives for Azure and hybrid | Cloud Security Service | Policy initiatives, assignments, compliance reports |
Expand All @@ -10,6 +11,7 @@
| Risk & Audit | Evidence and risk reporting | Service Manager | Risk register, audit evidence packs |

## Optional services

| Service | Description | Trigger |
| --- | --- | --- |
| Configuration Review | Targeted posture review for workloads | Quarterly reviews or upon request |
Expand Down
1 change: 1 addition & 0 deletions docs/05-operating-model.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ See the lifecycle model diagram: [`22-diagrams/security-operating-model.mmd`](22
repeatable controls, and shared accountability.

## Ceremonies and cadence

| Ceremony | Cadence | Owner | Outputs |
| --- | --- | --- | --- |
| Weekly ops review | Weekly | Service Manager | KPI deltas, top risks, open incidents |
Expand Down
3 changes: 3 additions & 0 deletions docs/07-metrics-and-kpis.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Metrics and KPIs

## KPI catalog

| KPI | Definition | Formula | Data Sources | Target | Owner | Cadence |
| --- | --- | --- | --- | --- | --- | --- |
| Policy compliance % | Percentage of resources compliant with baseline policies | Compliant resources / total in scope | Policy compliance reports | ≥ 95% | Service Manager | Weekly |
Expand All @@ -12,6 +13,7 @@
| Backup restore test success rate | Successful restore tests | Successful tests / total tests | Backup reports | ≥ 95% | Platform Ops | Quarterly |

## SLA/SLO targets (service-level)

| Service area | SLA/SLO | Definition | Target | Owner |
| --- | --- | --- | --- | --- |
| Incident response | SLO | SEV1 acknowledgment time | ≤ 15 minutes | Incident Commander |
Expand All @@ -21,6 +23,7 @@
| Exception handling | SLA | Exception review turnaround | ≤ 10 business days | Risk Owner |

## Sample dashboard (mock)

| Metric | Current | Target | Status |
| --- | --- | --- | --- |
| Policy compliance % | 96.4% | ≥ 95% | On track |
Expand Down
1 change: 1 addition & 0 deletions docs/08-roadmap-and-maturity.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
**Risks:** complacency, reduced focus on hygiene.

## Sample 12-month roadmap

| Quarter | Focus | Key Deliverables |
| --- | --- | --- |
| Q1 | Foundation | Landing zone baseline, policy-as-code MVP, SIEM onboarding |
Expand Down
1 change: 1 addition & 0 deletions docs/11-incident-response.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
Prepare → Detect → Contain → Eradicate → Recover → Learn

## Severity model

| Severity | Description | Example |
| --- | --- | --- |
| SEV1 | Critical impact to multiple services or regulatory exposure | Widespread credential compromise |
Expand Down
1 change: 1 addition & 0 deletions docs/14-vulnerability-management.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
4. Verify fixes and update evidence.

## SLAs

| Severity | Target remediation |
| --- | --- |
| Critical | 7 days |
Expand Down
14 changes: 7 additions & 7 deletions docs/21-templates/template-kpi-dashboard.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@

| KPI | Current | Target | Owner | Status |
| --- | --- | --- | --- | --- |
| Policy compliance % | | ≥ 95% | Service Manager | |
| MTTR (critical) | | ≤ 7 days | Remediation Lead | |
| TTD | | ≤ 15 min | SecOps | |
| TTC | | ≤ 4 hours | Incident Commander | |
| Privileged access exposure | | 0 standing admins | Identity Lead | |
| Misconfiguration trend | | Decreasing | Service Manager | |
| Backup restore tests | | ≥ 95% | Platform Ops | |
| Policy compliance % | | ≥ 95% | Service Manager | |
| MTTR (critical) | | ≤ 7 days | Remediation Lead | |
| TTD | | ≤ 15 min | SecOps | |
| TTC | | ≤ 4 hours | Incident Commander | |
| Privileged access exposure | | 0 standing admins | Identity Lead | |
| Misconfiguration trend | | Decreasing | Service Manager | |
| Backup restore tests | | ≥ 95% | Platform Ops | |
1 change: 1 addition & 0 deletions docs/21-templates/template-postmortem.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
## What didn’t go well

## Action items

| Action | Owner | Due date | Status |
| --- | --- | --- | --- |

Binary file added docs/adr/README.md
Binary file not shown.
81 changes: 81 additions & 0 deletions docs/architecture.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# Cloud Security Service Architecture

The Cloud Security Service is designed to provide a comprehensive, scalable, and measurable security posture across Azure and hybrid environments. It leverages cloud-native capabilities integrated with enterprise governance processes.

## High-Level Architecture

The following diagram illustrates the core components and workflow of the Cloud Security Service, showing how platform engineering, security operations, and application teams interact with the controls-as-code foundation.

```mermaid
graph TD
%% Define Styles
classDef consumers fill:#e1f5fe,stroke:#0288d1,stroke-width:2px,color:#000;
classDef core fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000;
classDef governance fill:#e8f5e9,stroke:#388e3c,stroke-width:2px,color:#000;
classDef external fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px,color:#000;

%% Consumers
subgraph Consumers
AppTeams[Application Teams]:::consumers
PlatformEng[Platform Engineering]:::consumers
RiskComp[Risk & Compliance]:::consumers
end

%% Core Services
subgraph CloudSecurityService[Cloud Security Service]
PolicyEngine[Policy Engine<br/>Azure Policy / OPA]:::core
IdentityAccess[Identity & Access<br/>Entra ID / RBAC]:::core
ThreatDetection[Threat Detection<br/>Defender for Cloud]:::core
SIEM[SIEM & Logging<br/>Microsoft Sentinel]:::core
end

%% Governance & Ops
subgraph OperationsAndGovernance[Operations & Governance]
SecOps[Security Operations / SOC]:::governance
IncidentResponse[Incident Response]:::governance
AuditEvidence[Audit & Evidence]:::governance
end

%% External Interfaces
ITSM[ITSM / ServiceNow]:::external

%% Relationships
AppTeams -->|Consume Standards &<br/>Deploy Workloads| PolicyEngine
PlatformEng -->|Build Landing Zones| PolicyEngine
PlatformEng -->|Configure Baselines| IdentityAccess

PolicyEngine -->|Enforce & Audit| AppTeams
IdentityAccess -->|Authenticate & Authorize| AppTeams

AppTeams -->|Logs & Telemetry| SIEM
PolicyEngine -->|Compliance Data| ThreatDetection
ThreatDetection -->|Alerts| SIEM

SIEM -->|Triage & Investigate| SecOps
SecOps -->|Escalate| IncidentResponse
IncidentResponse -->|Tickets / Workflows| ITSM

PolicyEngine -->|Compliance Reports| AuditEvidence
AuditEvidence -->|Review & Attest| RiskComp
```

## Component Details

### 1. Policy Engine (Controls-as-Code)
The policy engine acts as the governance guardrail, continuously evaluating resource configurations against defined security standards (e.g., Azure Policy, OPA). It provides both preventative (deny) and detective (audit) controls.

### 2. Identity & Access
Centralized identity management ensures least privilege access. This includes RBAC definitions, conditional access policies, and identity protection mechanisms.

### 3. Threat Detection
Continuous monitoring of cloud workloads to identify suspicious activities or vulnerabilities. Findings are aggregated and prioritized based on risk context.

### 4. SIEM & Logging
A centralized repository for security logs and telemetry. It correlates events across the environment to surface high-fidelity alerts to the Security Operations Center (SOC).

## Feedback Loops

The architecture incorporates continuous feedback loops:
- **Detection Tuning**: SecOps feedback refines SIEM rules and threat detection thresholds to reduce false positives.
- **Policy Refinement**: Application team feedback on policy friction leads to exception management or policy adjustments.
- **Automated Remediation**: Where possible, alerts trigger automated playbooks to remediate common misconfigurations.
27 changes: 27 additions & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Cloud Security Service Model

Welcome to the Cloud Security Service Model documentation. This repository defines an
enterprise-grade cloud security operating model for Azure and hybrid environments.
It outlines service scope, governance, controls-as-code, metrics, and measurable outcomes.

## Getting Started for Developers

As a developer or platform engineer, you interact with the Cloud Security Service primarily through:
- **Landing Zones & Policies**: Standardized environments governed by policy-as-code.
- **Identity & Access**: Baseline identity configurations for robust authentication.
- **Monitoring & Logging**: Centralized logging for auditing and incident response.

### Quick Links

- [Architecture Overview](architecture.md) - High-level architecture and logic.
- [Executive Overview](00-executive-overview.md) - Business value and context.
- [Service Definition](01-service-definition.md) - Mission, scope, and interfaces.
- [Operating Model](05-operating-model.md) - How we operate day-to-day.
- [Metrics & KPIs](07-metrics-and-kpis.md) - How we measure success.

## Core Principles

1. **Security as a Service**: We provide security capabilities as consumable services, not just blockers.
2. **Controls-as-Code**: Policies, alerts, and configurations are managed as code for reproducibility and auditability.
3. **Shared Responsibility**: Clear boundaries between what the security service owns and what application teams own.
4. **Audit-Ready by Design**: Continuous compliance monitoring and automated evidence collection.
Loading
Loading