Skip to content

feat: Add devopsos scaffold hardening — CIS/STIG/NSA/PSS/E8 infra hardening scaffold#74

Draft
chefgs with Copilot wants to merge 7 commits into
mainfrom
copilot/feature-add-infra-hardening-standards
Draft

feat: Add devopsos scaffold hardening — CIS/STIG/NSA/PSS/E8 infra hardening scaffold#74
chefgs with Copilot wants to merge 7 commits into
mainfrom
copilot/feature-add-infra-hardening-standards

Conversation

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Adds a new devopsos scaffold hardening sub-command that generates production-ready infrastructure hardening configurations across Kubernetes, container runtimes, and OS targets from a single CLI entry point.

New: cli/scaffold_hardening.py

Core scaffold module (~600 lines) with generators for all ten standards:

Output type Standards
Kyverno ClusterPolicy CIS K8s v1.9 (5 section files), DISA STIG, NSA/CISA, Pod Security Standards, Cosign image signing
InSpec profiles CIS Docker v1.6, CIS RHEL 9, CIS Ubuntu 22.04 (5 controls each)
Checkov custom checks Essential Eight (ASD)
YAML compliance-mapping.yaml — rules → framework control IDs (PCI-DSS, HIPAA, NIST 800-53, ISO27001)

Key behaviours:

  • --environment production → Kyverno validationFailureAction: Enforce; dev/stagingAudit
  • --type kyverno|inspec|checkov|all filters which artifact types are emitted
  • Every Kyverno policy carries devops-os/compliance annotations for GovPilot catalog linking
  • compliance-mapping.yaml maps each rule ID to framework control IDs consumed by check_selector.py
# CIS K8s policies, Enforce mode
devopsos scaffold hardening --standard cis-k8s --output hardening/

# All Kyverno policies, Audit mode for staging
devopsos scaffold hardening --standard all --type kyverno --environment staging

# RHEL 9 InSpec profile tagged for PCI-DSS
devopsos scaffold hardening --standard cis-rhel9 --type inspec --compliance-framework pci-dss

Modified: cli/devopsos.py

Imports scaffold_hardening and registers scaffold hardening as a Typer sub-command with all six options (--standard, --type, --output, --compliance-framework, --severity, --environment).

New: docs/devops-os-hardening-sprint.md

Sprint doc covering standards table, CLI design, generated file tree, 4-task implementation plan, testing plan, and effort estimate.

New: tests/test_hardening_scaffold.py

63 unit tests covering every generator, type-filter logic, environment→enforcement-action mapping, and file output correctness.

Copilot AI changed the title [WIP] Add infrastructure hardening standards in the project feat: Add devopsos scaffold hardening — CIS/STIG/NSA/PSS/E8 infra hardening scaffold Jul 1, 2026
Copilot finished work on behalf of chefgs July 1, 2026 11:28
Copilot AI requested a review from chefgs July 1, 2026 11:28
…selection guide, compliance mapping schema, troubleshooting, ubuntu22-cis controls, asvs-l1 fix
Copilot finished work on behalf of chefgs July 5, 2026 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: Add Infra Hardening Standards in the project

2 participants