Draft
feat: Add devopsos scaffold hardening — CIS/STIG/NSA/PSS/E8 infra hardening scaffold#74
devopsos scaffold hardening — CIS/STIG/NSA/PSS/E8 infra hardening scaffold#74Conversation
Copilot
AI
changed the title
[WIP] Add infrastructure hardening standards in the project
feat: Add Jul 1, 2026
devopsos scaffold hardening — CIS/STIG/NSA/PSS/E8 infra hardening scaffold
…selection guide, compliance mapping schema, troubleshooting, ubuntu22-cis controls, asvs-l1 fix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new
devopsos scaffold hardeningsub-command that generates production-ready infrastructure hardening configurations across Kubernetes, container runtimes, and OS targets from a single CLI entry point.New:
cli/scaffold_hardening.pyCore scaffold module (~600 lines) with generators for all ten standards:
compliance-mapping.yaml— rules → framework control IDs (PCI-DSS, HIPAA, NIST 800-53, ISO27001)Key behaviours:
--environment production→ KyvernovalidationFailureAction: Enforce;dev/staging→Audit--type kyverno|inspec|checkov|allfilters which artifact types are emitteddevops-os/complianceannotations for GovPilot catalog linkingcompliance-mapping.yamlmaps each rule ID to framework control IDs consumed bycheck_selector.pyModified:
cli/devopsos.pyImports
scaffold_hardeningand registersscaffold hardeningas a Typer sub-command with all six options (--standard,--type,--output,--compliance-framework,--severity,--environment).New:
docs/devops-os-hardening-sprint.mdSprint doc covering standards table, CLI design, generated file tree, 4-task implementation plan, testing plan, and effort estimate.
New:
tests/test_hardening_scaffold.py63 unit tests covering every generator, type-filter logic, environment→enforcement-action mapping, and file output correctness.