Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
133 commits
Select commit Hold shift + click to select a range
de371f4
chore: add skeleton files and requirements
Vishnu2707 Apr 25, 2026
dd24ce0
fix: remove embedded git repo
Vishnu2707 Apr 25, 2026
e872074
Core Structure Created
Vishnu2707 Apr 25, 2026
ee77377
feat: build complete core — scanner engine, 10 rules, API, playbooks,…
Vishnu2707 Apr 25, 2026
053be03
docs: replace ASCII architecture with interactive Mermaid diagram
Vishnu2707 Apr 25, 2026
b31ecb7
feat: Sentinel integration — ingest.py, 4 KQL rules, setup guide (#12)
TFT444 May 2, 2026
d545744
fix: add AZ-STOR-003 compliance mappings, correct NIST control to PR.…
Vishnu2707 May 4, 2026
6c0c58e
docs: add real-world breach scenarios for all 10 starter rules (#15)
TFT444 May 4, 2026
e4382cd
feat: add AZ-KV-002 key vault public access rule and remediation play…
parthrohit22 May 4, 2026
7593ba0
Merge branch 'main' into dev
Vishnu2707 May 4, 2026
0ec2290
Merge remote-tracking branch 'origin/main' into dev
Vishnu2707 May 4, 2026
e8fed83
docs: update README with rule count, roadmap progress and contributors
Vishnu2707 May 4, 2026
35312d4
feat: add network security rules AZ-NET-003 to AZ-NET-010 (#16)
TFT444 May 4, 2026
aee88b2
Merge remote-tracking branch 'origin/main' into dev
Vishnu2707 May 4, 2026
2badbce
Feat/az stor 003 (#21)
ritiksah141 May 5, 2026
1e7a81f
docs: add SOC 2 Type II compliance framework mapping (#33)
TFT444 May 8, 2026
f409b67
Refactor/azure client network methods (#22)
TFT444 May 9, 2026
bb47779
feat: add CI pipeline with 6 automated checks (#34)
ritiksah141 May 9, 2026
0d99e2d
Merge branch 'main' into dev
Vishnu2707 May 9, 2026
46096a6
Merge remote-tracking branch 'origin/main' into dev
Vishnu2707 May 9, 2026
9e5d355
docs: update .github/ISSUE_TEMPLATE/new_rule.md to reflect current co…
Vishnu2707 May 9, 2026
2a5655e
docs: update .github/PULL_REQUEST_TEMPLATE.md to reflect current code…
Vishnu2707 May 9, 2026
57f25a6
docs: update CONTRIBUTING.md to reflect current codebase state
Vishnu2707 May 9, 2026
309deca
docs: update README.md to reflect current codebase state
Vishnu2707 May 9, 2026
693b20c
docs: update compliance/frameworks/iso27001.json to reflect current c…
Vishnu2707 May 9, 2026
c292efc
docs: update compliance/frameworks/nist_csf.json to reflect current c…
Vishnu2707 May 9, 2026
034b9d5
docs: update docs/adding-a-rule.md to reflect current codebase state
Vishnu2707 May 9, 2026
936a7d6
docs: update docs/architecture.md to reflect current codebase state
Vishnu2707 May 9, 2026
3cd0f00
docs: update docs/az-stor-003-test-plan.md to reflect current codebas…
Vishnu2707 May 9, 2026
17c29f4
docs: update docs/azure-setup.md to reflect current codebase state
Vishnu2707 May 9, 2026
6275396
docs: update docs/ci-pipeline.md to reflect current codebase state
Vishnu2707 May 9, 2026
ab16a16
docs: update docs/sentinel-setup.md to reflect current codebase state
Vishnu2707 May 9, 2026
1cd89dd
docs: update sentinel/TEST_PLAN.md to reflect current codebase state
Vishnu2707 May 9, 2026
a2fed2e
docs: update docs/api-reference.md to reflect current codebase state
Vishnu2707 May 9, 2026
98894bc
docs: update docs/rules-reference.md to reflect current codebase state
Vishnu2707 May 9, 2026
fdae7e7
Merge remote-tracking branch 'origin/dev' into dev
Vishnu2707 May 9, 2026
85bbb7f
docs: update README.md for professional open source style
Vishnu2707 May 9, 2026
0643eaf
docs: update CONTRIBUTING.md for professional open source style
Vishnu2707 May 9, 2026
5ebcdd9
docs: update docs/adding-a-rule.md for professional open source style
Vishnu2707 May 9, 2026
eb88659
Merge branch 'main' into dev
Vishnu2707 May 9, 2026
2d230dd
docs: update deployment guide to use Render instead of Azure App Service
Vishnu2707 May 9, 2026
bac6146
Merge remote-tracking branch 'origin/dev' into dev
Vishnu2707 May 9, 2026
d4384fe
feat: add rule AZ-STOR-004 storage account diagnostic logging check (…
SHAURYAKSHARMA24 May 13, 2026
826396a
feat: add rule AZ-IDN-003 Adds scanner rule AZ-IDN-003 detecting Entr…
TFT444 May 13, 2026
cd47b68
feat: add rule AZ-CMP-002 — VM disk not protected by CMK or ADE (#47)
TFT444 May 13, 2026
1efe1f3
Feat/api deployment (#46)
ritiksah141 May 13, 2026
ba6c70c
feat: AZ-NET-011 Network Watcher not enabled in all regions (#42)
emon22-ts May 13, 2026
e7c3487
feat: add AZ-DB-003 PostgreSQL Flexible Server SSL enforcement rule a…
emon22-ts May 16, 2026
024e635
Merge branch 'main' into dev
Vishnu2707 May 16, 2026
bc146ef
[RULE] AZ-CMP-003: VM without endpoint protection installed (#57)
TFT444 May 23, 2026
923cc75
[DOCS] Add OpenShield learning and onboarding portal (#51)
parthrohit22 May 23, 2026
954505c
Merge branch 'main' into dev
Vishnu2707 May 24, 2026
4a2ef01
refactor: reuse database connection per request using Flask g (#41)
safidnadaf May 24, 2026
0e82402
docs: add security policy, issue template, and README badges (#64)
ritiksah141 May 24, 2026
1b25a74
feat: add rule AZ-KV-004 Key Vault purge protection disabled (#55)
aav-wh May 24, 2026
4a1b153
feat: add AZ-STOR-005 geo-redundant storage rule (#74)
SHAURYAKSHARMA24 May 27, 2026
cd339e1
feat: add rule AZ-DB-004 SQL Server firewall allows all Azure service…
aav-wh May 27, 2026
00dad53
docs: add 6 README badges (#79)
ritiksah141 May 28, 2026
d362cc7
feat: add AZ-KV-005 Key Vault certificate expiring within 30 days (#75)
TFT444 May 28, 2026
82efdfb
[RULE] AZ-CMP-004: VM without automatic OS patching enabled (#73)
TFT444 May 28, 2026
1757c84
Merge branch 'main' into dev
Vishnu2707 May 29, 2026
6ff2686
feat: add AI provider abstraction layer for Anthropic, Groq and Gemin…
TFT444 May 29, 2026
5dedde9
Smoke Test Alginment after the recent changes to the Repository causi…
ritiksah141 May 29, 2026
8cf18db
feat: add AZ-IDN-004 PIM not configured for admin roles rule and play…
emon22-ts May 30, 2026
4b2afb5
feat: add AI executive summary and remediation endpoint (#95)
SHAURYAKSHARMA24 May 30, 2026
3636dd7
feat(scanner): add AZ-NET-014 VNet peering gateway transit rule (#94)
aav-wh May 30, 2026
70cb686
feat: add AZ-NET-013 Azure Firewall VNet rule (#99)
SHAURYAKSHARMA24 May 31, 2026
bf82c39
Implement AI Q&A over scan findings (#98)
SHAURYAKSHARMA24 May 31, 2026
9a1f824
Merge branch 'main' into dev
Vishnu2707 May 31, 2026
c0116f8
Feat/CVE correlation (#96)
ritiksah141 Jun 1, 2026
3d17d7b
feat: add RAG powered AI insights layer with Azure security skill emb…
TFT444 Jun 1, 2026
a2263a4
feat: add AZ-NET-012 - NSG flow logs not enabled rule (#76)
safidnadaf Jun 1, 2026
808a9c6
fix: resolve CodeQL warnings in embed.py and test files
Vishnu2707 Jun 1, 2026
c9592c0
Merge branch 'main' into dev
Vishnu2707 Jun 1, 2026
931d32c
feat(frontend): build complete 7-page security dashboard (#111)
vogonPrayas Jun 3, 2026
673511e
Feat/jwt secret prod fail closed (#117)
ritiksah141 Jun 3, 2026
03cd7cb
feat: AI-004 RAG Pipeline - Document Ingestion and Vector Store (#104)
emon22-ts Jun 3, 2026
115320f
Potential fix for pull request finding 'Unused import'
Vishnu2707 Jun 4, 2026
4ad4ceb
feat: add AZ-PQC-001 to AZ-PQC-003 post-quantum cryptography scanner …
Vishnu2707 Jun 4, 2026
6e5e9a4
feat: add PQC compliance mappings, azure client methods and dependencies
Vishnu2707 Jun 4, 2026
83502d9
docs: update README with post-quantum cryptography scanning and rule …
Vishnu2707 Jun 4, 2026
16f7e77
Feat/live data wiring (#122)
ritiksah141 Jun 4, 2026
ffc3652
Feat/decouple CVE enrichment (#127)
ritiksah141 Jun 5, 2026
1e09618
docs: update OpenShield Learn content, navigation, and hosting suppor…
parthrohit22 Jun 5, 2026
c938551
feat(tests): MockAzureClient rule regression test harness — 7 rules o…
TFT444 Jun 5, 2026
cdcbb2b
AZ-IDN-005 to AZ-IDN-009 — Entra ID identity scanner rules (#109)
TFT444 Jun 5, 2026
9da652b
Merge branch 'main' into dev
Vishnu2707 Jun 5, 2026
7dd74b9
Potential fix for pull request finding 'Empty except'
Vishnu2707 Jun 5, 2026
1ba73b1
Potential fix for pull request finding 'Unused variable, import, func…
Vishnu2707 Jun 5, 2026
d537461
Implement threat simulation prompt builder (#138)
TFT444 Jun 13, 2026
852768d
docs: add frontend API validation guide (#134)
SHAURYAKSHARMA24 Jun 13, 2026
42a0399
fix(compliance): align rule reference and framework mappings (#130)
m-khan-97 Jun 13, 2026
d7c59db
feat: implement asynchronous scan execution with background worker (#…
ritiksah141 Jun 13, 2026
6b5b75f
feat(scanner): add AZ-NET-015 public DNS zone enumeration rule (#106)
aav-wh Jun 13, 2026
d37e8dc
fix: scope posture endpoints to latest completed scan (#145)
TFT444 Jun 21, 2026
4abc2d6
Fix: Make Flask app test-safe and run full pytest suite in CI (#143)
emon22-ts Jun 21, 2026
e0512bc
feat: Integrate Azure Offensive Skills and Dynamic AI Grounding (#137)
ritiksah141 Jun 21, 2026
3c951ce
feat(auth): require JWT for GET /api/* endpoints with optional public…
TFT444 Jul 2, 2026
15d0537
fix(scanner): improve AZ-NET-008 with SOC2 mapping and azure_client a…
aav-wh Jul 2, 2026
e137e64
CI: parallel jobs, lint/format gate, security scanning, coverage (#15…
ritiksah141 Jul 6, 2026
cdd5b42
Fix async scan state recovery (#169)
ritiksah141 Jul 8, 2026
82cf855
feat(infra): observability layer — structured logs, request IDs, metr…
SHAURYAKSHARMA24 Jul 8, 2026
b6b312a
fix(compliance): correct duplicate CIS control mappings, TLS version …
TFT444 Jul 8, 2026
c4f7e0a
build(deps): bump react-router (#148)
dependabot[bot] Jul 8, 2026
69d1f5e
build(deps-dev): bump vite (#147)
dependabot[bot] Jul 8, 2026
6f138b2
docs: add Azure scanner validation docs (#142)
parthrohit22 Jul 8, 2026
0abe4bd
Merge branch 'main' into dev
Vishnu2707 Jul 8, 2026
fea9314
fix: disable auto deploy to Render, manual trigger only
Vishnu2707 Jul 8, 2026
0e85ecf
fix: ruff auto fixes
Vishnu2707 Jul 8, 2026
8cd0406
fix: resolve CodeQL high findings - XSS innerHTML, clear text logging…
Vishnu2707 Jul 8, 2026
8becdd1
chore: add CODEOWNERS, issue templates, Docker setup and autonomous C…
Vishnu2707 Jul 8, 2026
7170af4
fix: raise dependency review threshold to critical only
Vishnu2707 Jul 8, 2026
886a283
fix: upgrade vulnerable dependencies flagged by pip-audit and npm audit
Vishnu2707 Jul 8, 2026
1ca80bc
fix: revert dependency review threshold back to high
Vishnu2707 Jul 8, 2026
52ec129
fix: use python:3.11-slim-bookworm base image to reduce Trivy vulnera…
Vishnu2707 Jul 8, 2026
eec36fe
fix: upgrade jaraco.context, transformers and wheel to fix Trivy HIGH…
Vishnu2707 Jul 8, 2026
a0ac0d0
Merge branch 'main' into dev
Vishnu2707 Jul 8, 2026
3443a85
feat(db): implement Alembic migrations (#164)
parthrohit22 Jul 9, 2026
fa6817d
fix: remediate container scan vulnerabilities (#175)
ritiksah141 Jul 11, 2026
418bcba
Reliability fixes: score 500, DB pooling, async CVE enrichment, threa…
TFT444 Jul 11, 2026
b0a57a7
test: add comprehensive validation coverage (#146)
SHAURYAKSHARMA24 Jul 11, 2026
cbb7374
infra 7 : Terraform for Render/Vercel + GitHub OIDC for Azure credent…
TFT444 Jul 12, 2026
c253547
Security hardening: body size limit, Gemini key header, AI rate limit…
TFT444 Jul 12, 2026
d39f270
Infra: add deterministic Render deploy pipeline and separate worker s…
SHAURYAKSHARMA24 Jul 13, 2026
34011ca
Merge branch 'main' into dev
Vishnu2707 Jul 13, 2026
9de0ce3
fix(security): drop credential key_id from AZ-IDN-006 debug logging (…
TFT444 Jul 13, 2026
36a9172
fix(security): resolve all high/critical CodeQL findings (#177, #179,…
TFT444 Jul 13, 2026
9d9399a
fix(security): resolve Semgrep SAST findings (#185)
TFT444 Jul 13, 2026
5e26cf4
feat(pqc): add CBOM endpoint, quantum risk scoring, NCSC and ENISA fr…
Vishnu2707 Jul 14, 2026
df873b6
feat(scanner): add enterprise AKS security rule pack (#189)
TFT444 Jul 15, 2026
6df5918
fix(security): complete #183 XSS and legacy AI key follow-up (#188)
m-khan-97 Jul 15, 2026
43d6c67
docs: add CHANGELOG, API reference, coding standards and OpenSSF gold…
Vishnu2707 Jul 15, 2026
db63f57
Merge remote-tracking branch 'origin/main' into dev
Vishnu2707 Jul 15, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/new_rule.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ assignees: ''
## Rule Details
- Rule ID: AZ-XXX-000
- Severity: HIGH / MEDIUM / LOW
- Category: Storage / Network / Identity / Database / Compute / Key Vault / PostQuantum
- Category: Storage / Network / Identity / Database / Compute / Key Vault / Kubernetes / PostQuantum
- Frameworks: CIS / NIST / ISO 27001 / SOC 2

## What does it detect?
Expand Down
2 changes: 1 addition & 1 deletion .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
## Rule details (if applicable)
- Rule ID: AZ-XXX-000
- Severity: HIGH / MEDIUM / LOW
- Category: Storage / Network / Identity / Database / Compute / Key Vault
- Category: Storage / Network / Identity / Database / Compute / Key Vault / Kubernetes
- Frameworks mapped: CIS / NIST / ISO 27001 / SOC 2

## Testing
Expand Down
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,22 @@ updates:
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
open-pull-requests-limit: 0

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
open-pull-requests-limit: 0

- package-ecosystem: "npm"
directory: "/frontend"
schedule:
interval: "weekly"
cooldown:
default-days: 7
open-pull-requests-limit: 0
34 changes: 32 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -431,7 +431,16 @@ jobs:
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Install syft
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.46.0
env:
SYFT_VERSION: "1.46.0"
SYFT_SHA256: d654f678b709eb53c393d38519d5ed7d2e57205529404018614cfefa0fb2b5ca
run: |
SYFT_ARCHIVE="syft_${SYFT_VERSION}_linux_amd64.tar.gz"
curl --fail --silent --show-error --location \
--output "$SYFT_ARCHIVE" \
"https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/${SYFT_ARCHIVE}"
echo "${SYFT_SHA256} ${SYFT_ARCHIVE}" | sha256sum --check --strict
sudo tar --extract --gzip --file "$SYFT_ARCHIVE" --directory /usr/local/bin syft

- name: Generate SBOM
run: syft dir:. --source-name openshield --source-version "${{ github.sha }}" -o cyclonedx-json=sbom.cyclonedx.json
Expand Down Expand Up @@ -548,9 +557,27 @@ jobs:
- name: Lint
run: npm run lint

- name: Run aiSettings tests
run: node src/utils/aiApi.test.mjs

- name: Build
run: npm run build

website:
name: Website (script tests)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Set up Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "22"

- name: Run website script tests
run: node website/test_toEmbedUrl.mjs

# ── Enforce branch flow: main may only receive PRs from dev ───────────────
# No-op on dev PRs (step skipped -> job succeeds). To allow hotfixes straight
# to main, widen the condition below to also accept a 'hotfix/*' head branch.
Expand All @@ -575,7 +602,7 @@ jobs:
name: CI Summary
runs-on: ubuntu-latest
needs:
[lint, rule-validation, secret-scan, sast-bandit, sca-pip-audit, sbom, container-scan, backend-tests, frontend, enforce-source-branch]
[lint, rule-validation, secret-scan, sast-bandit, sca-pip-audit, sbom, container-scan, backend-tests, frontend, website, enforce-source-branch]
if: always()
steps:
- name: Build summary
Expand All @@ -589,6 +616,7 @@ jobs:
CONTAINER_SCAN: ${{ needs.container-scan.result }}
BACKEND_TESTS: ${{ needs.backend-tests.result }}
FRONTEND: ${{ needs.frontend.result }}
WEBSITE: ${{ needs.website.result }}
ENFORCE_SOURCE: ${{ needs.enforce-source-branch.result }}
run: |
python3 - <<'PYEOF'
Expand All @@ -604,6 +632,7 @@ jobs:
("Container Scan (Trivy, INFRA 1 pending)", os.environ["CONTAINER_SCAN"]),
("Backend Tests (pytest + coverage)", os.environ["BACKEND_TESTS"]),
("Frontend (lint + build)", os.environ["FRONTEND"]),
("Website (script tests)", os.environ["WEBSITE"]),
("Enforce dev to main source", os.environ["ENFORCE_SOURCE"]),
]

Expand Down Expand Up @@ -654,5 +683,6 @@ jobs:
needs.sbom.result != 'success' ||
needs.backend-tests.result != 'success' ||
needs.frontend.result != 'success' ||
needs.website.result != 'success' ||
needs.enforce-source-branch.result != 'success'
run: exit 1
8 changes: 6 additions & 2 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,12 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/dependency-review-action@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
with:
fail-on-severity: high
# The wheel omits license metadata, but Microsoft's upstream Azure
# SDK repository licenses this package under MIT:
# https://github.com/Azure/azure-sdk-for-python/blob/main/LICENSE
allow-dependencies-licenses: pkg:pypi/azure-mgmt-containerservice@41.3.0
comment-summary-in-pr: always
13 changes: 6 additions & 7 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,6 @@ concurrency:
group: deploy-${{ inputs.environment }}
cancel-in-progress: false

permissions:
contents: read

permissions:
id-token: write
contents: read
Expand All @@ -35,15 +32,15 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Set up Python 3.11
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.11"

- name: Cache pip dependencies
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
Expand Down Expand Up @@ -135,6 +132,8 @@ jobs:
echo "API deploy $API_DEPLOY_ID and worker deploy $WORKER_DEPLOY_ID are live at SHA $GITHUB_SHA."

- name: Health gate check
env:
DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
run: |
MAX_RETRIES=5
RETRY_DELAY=15
Expand All @@ -151,7 +150,7 @@ jobs:
echo "Got HTTP $HTTP_STATUS; retrying in ${RETRY_DELAY}s..."
sleep $RETRY_DELAY
done
echo "ERROR: Health gate failed after $MAX_RETRIES attempts on ${{ inputs.environment }}."
echo "ERROR: Health gate failed after $MAX_RETRIES attempts on $DEPLOY_ENVIRONMENT."
exit 1

- name: Run smoke tests against live deployment
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,18 +14,18 @@ jobs:
docker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ghcr.io/openshield-org/openshield
tags: |
Expand All @@ -34,7 +34,7 @@ jobs:
type=raw,value=latest,enable={{is_default_branch}}

- name: Build and push
uses: docker/build-push-action@v5
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
with:
context: .
push: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@ jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
- uses: softprops/action-gh-release@v2
- uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
with:
generate_release_notes: true
make_latest: true
11 changes: 10 additions & 1 deletion .github/workflows/sbom-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,16 @@ jobs:
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Install syft
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.46.0
env:
SYFT_VERSION: "1.46.0"
SYFT_SHA256: d654f678b709eb53c393d38519d5ed7d2e57205529404018614cfefa0fb2b5ca
run: |
SYFT_ARCHIVE="syft_${SYFT_VERSION}_linux_amd64.tar.gz"
curl --fail --silent --show-error --location \
--output "$SYFT_ARCHIVE" \
"https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/${SYFT_ARCHIVE}"
echo "${SYFT_SHA256} ${SYFT_ARCHIVE}" | sha256sum --check --strict
sudo tar --extract --gzip --file "$SYFT_ARCHIVE" --directory /usr/local/bin syft

- name: Generate SBOM
env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
with:
stale-issue-message: 'This issue has been inactive for 30 days and will be closed in 7 days unless there is activity.'
stale-pr-message: 'This PR has been inactive for 14 days. Please update or it will be closed in 7 days.'
Expand Down
116 changes: 116 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# Changelog

All notable changes to OpenShield are documented in this file.

The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
OpenShield uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

### Added

- CBOM endpoints with per-asset quantum risk scoring and migration guidance
- NCSC UK and ENISA post-quantum compliance framework mappings
- Harvest Now Decrypt Later exposure window calculation per cryptographic asset
- Deterministic Render deployment workflow for separate API and worker services
- Terraform configuration for Render, Vercel, and GitHub OIDC

### Fixed

- High-severity CodeQL findings in Python and JavaScript code
- Security findings identified during Semgrep analysis
- Sensitive identity metadata removed from scanner debug logging

### Security

- AI provider errors no longer expose upstream response details
- Request body limits, AI rate limiting, and playbook path validation added
- GitHub Actions dependencies pinned to immutable commit SHAs

## [0.3.0] - 2026-07-08

### Added

- Async scan execution with a background worker and PostgreSQL-backed job queue
- Scan state persistence and Render restart recovery with retry logic
- Structured JSON logging with request correlation via `X-Request-ID`
- Prometheus metrics for HTTP, scan, NVD, and LLM latency
- Separate `/health` liveness and `/ready` readiness probes
- Optional Sentry integration configured through `SENTRY_DSN`
- AZ-IDN-005 to AZ-IDN-009 Entra ID identity scanner rules
- AZ-PQC-001 to AZ-PQC-003 post-quantum cryptography scanner rules
- MockAzureClient offline rule regression test harness
- Azure scanner validation documentation framework
- CODEOWNERS with domain-based reviewer assignment
- Issue templates for bugs, features, and scanner rules
- Docker and Docker Compose support for self-hosted deployment
- Stale issue and pull request management workflow
- Dependency review workflow for high-severity vulnerabilities
- Release workflow triggered by version tags
- Docker image publishing to GHCR on release tags

### Fixed

- Duplicate CIS benchmark mappings across rules that shared control IDs
- TLS version comparison changed from lexicographic to numeric comparison
- Microsoft Graph pagination now follows `nextLink`
- Render automatic deployment replaced with a manual workflow dispatch

### Security

- Unsafe HTML rendering removed from website content updates
- Clear-text logging removed from identity scanner rules
- Vulnerable dependencies upgraded, including cryptography and wheel

## [0.2.3] - 2026-06-28

### Added

- CVE enrichment decoupled from the scan lifecycle into an on-demand endpoint
- OpenShield Learn portal updated with current architecture and rule coverage
- React Router dependency updated to 7.18.0

## [0.2.2] - 2026-06-15

### Added

- Live data wiring between the frontend and backend API
- Seven-page React dashboard for monitoring, discovery, prioritization, scanning, compliance, drift, and AI
- Project website at `openshield-website.vercel.app`
- JWT authentication production hardening

### Fixed

- Mock and demonstration data removed from the frontend
- Dashboard updated to serve persisted scan data end to end

## [0.2.0] - 2026-05-20

### Added

- RAG pipeline with ChromaDB and Azure security knowledge skills
- AI executive summary, prioritization, question answering, and remediation endpoints
- CVE correlation through NVD with CVSS scoring and CISA KEV exploit signals
- AZ-NET-012 to AZ-NET-016 network scanner rules
- AZ-IDN-004 privileged identity management scanner rule
- PostgreSQL-backed asynchronous scan persistence

## [0.1.0] - 2026-05-09

### Added

- Initial OpenShield release
- 20 Azure scanner rules across Storage, Network, Identity, Database, Compute, and Key Vault
- CIS Azure Benchmark, NIST CSF, ISO 27001, and SOC 2 mappings
- Flask REST API with JWT authentication
- CLI remediation playbooks for scanner rules
- Microsoft Sentinel integration with Log Analytics ingestion and KQL rules
- GitHub Actions continuous integration pipeline
- SBOM generation with Syft

[Unreleased]: https://github.com/openshield-org/openshield/compare/v0.3.0...HEAD
[0.3.0]: https://github.com/openshield-org/openshield/releases/tag/v0.3.0
[0.2.3]: https://github.com/openshield-org/openshield/commit/3d6d7cc
[0.2.2]: https://github.com/openshield-org/openshield/commit/9575a33
[0.2.0]: https://github.com/openshield-org/openshield/commit/484eb9b
[0.1.0]: https://github.com/openshield-org/openshield/releases/tag/v0.1.0
Loading
Loading