Changes includes for the OpenSSF and backend level additions#211
Merged
Conversation
… compliance mappings, docs
* feat: add sentinel/ingest.py — Log Analytics ingestion via HMAC-SHA256 * feat: add sentinel/__init__.py * feat: add KQL rule — HIGH severity finding detected * feat: add KQL rule — misconfiguration wave detection * feat: add KQL rule — new resource type critical detection * Delete sentinel/rules directory * Create rules * Delete sentinel/rules * Add KQL rule for high severity findings * Add Misconfiguration Wave detection rule * Add KQL rule for persistent misconfiguration detection * Add KQL rule for new critical resource types This rule identifies new resource types with critical findings that have occurred in the last 24 hours, excluding known types from the last 30 days. * Add script to generate test findings in JSON format This script generates test findings related to security compliance and saves them in a JSON file. * Add Sentinel integration test plan and results Added a comprehensive test plan for Sentinel integration, detailing test objectives, results, and acceptance criteria for various KQL rules and data ingestion. * docs: add sentinel integration setup guide Added a comprehensive setup guide for integrating Sentinel with Azure, covering prerequisites, workspace creation, activation, environment variable setup, ingestion, log verification, KQL rules deployment, and incident verification.
* Add az_net_003.py to check NSG rules for port 443 This script detects Network Security Groups (NSGs) with unrestricted inbound access on port 443 and provides remediation guidance. * Add AZ-NET-004 rule for empty NSG detection This script detects Network Security Groups (NSGs) that have no custom security rules configured, providing details for remediation. * Add AZ-NET-005 rule for DDoS protection check This script detects virtual networks in Azure that do not have DDoS protection enabled and provides remediation steps. * feat: add rule AZ-NET-006 — public IP unassociated with any resource This rule detects public IP addresses that are not associated with any resource, providing details for remediation. * feat: add rule AZ-NET-007 — Application Gateway without WAF enabled This rule detects Application Gateways that do not have WAF enabled, logging findings and providing remediation steps. * feat: add rule AZ-NET-008 — load balancer with no backend pool This rule detects load balancers in Azure that are not configured with a backend pool, indicating potential misconfiguration or unnecessary costs. * feat: add rule AZ-NET-009 — VPN gateway using outdated IKE version This script detects VPN gateways using the outdated IKEv1 protocol and provides remediation steps to migrate to IKEv2. * feat: add rule AZ-NET-010 — subnet with no NSG attached This script detects subnets in Azure that do not have a Network Security Group (NSG) attached, logging findings and providing remediation guidance. * feat: add playbook fix_az_net_003.sh This script updates the NSG rule to restrict inbound traffic on port 443 to a specified IP range. * feat: add playbook fix_az_net_004.sh This script adds a default deny-all inbound rule to a specified NSG. * feat: add playbook fix_az_net_005.sh This script enables DDoS protection on a specified virtual network in Azure. It checks for required parameters and provides usage instructions if they are missing. * feat: add playbook fix_az_net_006.sh This script deletes unassociated public IP addresses in Azure. * feat: add playbook fix_az_net_007.sh This script enables WAF on an Application Gateway, ensuring compliance with the AZ-NET-007 rule. * feat: add playbook fix_az_net_008.sh Script to remediate AZ-NET-008 by deleting empty load balancers. * feat:add script to update VPN connection to IKEv2 This script updates a VPN connection to use IKEv2, ensuring compliance with the AZ-NET-009 rule. * feat: add playbook fix_az_net_010.sh This script attaches a specified network security group to a given subnet in a virtual network, ensuring compliance with the AZ-NET-010 rule. * Clarify description and add note for public-facing services Updated the description to clarify the risk of exposing port 443 and added a note regarding public-facing services. * Change severity level from MEDIUM to HIGH * fix: AZ-NET-005 severity changed to LOW — DDoS Standard high cost on small subscriptions * Add note about NetworkManagementClient usage Added a note regarding the creation of NetworkManagementClient directly and suggested a follow-up for consistency. * Add note about NetworkManagementClient usage Added a note regarding the use of NetworkManagementClient and suggested a follow-up for consistency. * Add additional security controls to CIS Azure benchmark * Refine control descriptions in nist_csf.json Updated descriptions for various controls to enhance clarity and specificity regarding remote access management, data protection, and security measures. * fix: add AZ-NET-003 to AZ-NET-010 to ISO27001 compliance framework Updated descriptions for various controls to clarify compliance requirements and improve security guidance. --------- Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>
* feat: add rule AZ-STOR-003 storage lifecycle policy check * feat: add rule AZ-STOR-003 storage lifecycle policy check
* docs: add SOC 2 Type II compliance framework mapping for all 20 rules Added SOC 2 Type II framework with detailed controls for security measures and compliance requirements. * feat: add soc2 to FRAMEWORK_FILE_MAP in finding.py add soc2.json to FRAMEWORK_FILE_MAP in finding.py * feat: add soc2 to SUPPORTED_FRAMEWORKS in compliance.py Added 'soc2' to the list of supported compliance frameworks. * Add SOC 2 controls for data protection and management
* refactor: add get_virtual_networks() and get_public_ip_addresses() to AzureClient * Refactor DDoS protection check to use azure_client * refactor: AZ-NET-006 now uses azure_client.get_public_ip_addresses()
- Python syntax check on all rule files - Rule structure validation (RULE_ID, SEVERITY, FRAMEWORKS) + RULE_ID uniqueness - Hardcoded credential scan - Playbook existence + bash syntax check for every rule - Compliance JSON validation for all four framework files (inc. soc2.json) - API syntax check - Compliance vs rule cross-reference check - CI summary step with per-check pass/fail table (if: always) - Fix duplicate DESCRIPTION assignment in az_net_003.py - Add pyyaml to requirements.txt for local YAML validation - Add docs/ci-pipeline.md with local run commands and design rationale - Update CI_PIPELINE_GUIDE.md with final PR description Closes #30
…180) (#183) * fix(security): validate embed URLs by origin instead of substring match toEmbedUrl()'s fallback branch used raw.includes(...) to check for a known-safe embed URL, then returned the unvalidated input unmodified. A crafted string containing the substring anywhere could pass the check while breaking out of the iframe's src="..." attribute it gets interpolated into unescaped, injecting arbitrary markup. Validate via new URL(raw).hostname against an exact allowlist instead, and escape the result at every interpolation site as defense in depth. Also escape the two playground select-field values that were concatenated into an HTML-shaped string unescaped. Fixes #179 (CodeQL: DOM text reinterpreted as HTML x3, incomplete URL substring sanitization x1). * fix(security): move AI provider API key to in-memory-only storage A prior fix for this same CodeQL alert removed the localStorage.setItem call for the user's bring-your-own AI provider key but left the getter/isConfigured() reading from the now-permanently-empty key, silently breaking every AI feature (chat, summary, insights, prioritisation all gated behind isConfigured()). Store the key in a module-scoped variable instead of any browser storage. It never survives a page reload (the standard, expected trade-off for a secret that must not persist), but the feature works again and the key is never written to localStorage/sessionStorage. provider/model (not secret) still persist in localStorage as before. Fixes #180 (CodeQL: clear text storage of sensitive information). * fix(security): stop leaking exception details in API error responses Every affected route returned str(exc) (or an f-string embedding it) directly in the JSON response body. Some catch broad `except Exception`, which can surface raw database driver errors, connection details, or internal paths to the client rather than just intentional validation messages. Replace with a fixed, generic message per error class; the existing logger.error(...)/logger.warning(...) calls already capture full detail server-side. In api/routes/ai.py, extract a shared _ai_error_response() helper since the same 3-exception pattern (VectorStoreNotBuilt, ValueError, RuntimeError from get_completion()) repeated verbatim across 4 routes, and add the server-side logging that was missing there entirely. Also fixes an f-string leak in compliance.py's FileNotFoundError handler that the "detail" key search missed. Fixes #177 (CodeQL: information exposure through an exception, all 27 findings across api/app.py and 8 api/routes/ modules). * fix: remove escapeHTML() misapplied to .textContent sinks Self-review caught that the defense-in-depth escapeHTML() calls added for #179 wrapped values assigned via .textContent, not .innerHTML. .textContent never interprets HTML, so escaping there adds no security value while risking visible text corruption (a literal "&" shown on screen) if the underlying value ever contains a special character. toEmbedUrl()'s URL-origin validation is the real, load-bearing fix and is unaffected by this change — it guarantees embedUrl can only ever be '' or a well-formed https://youtube.com|vimeo.com URL regardless of which DOM property ultimately consumes it.
* fix(security): harden workflow shell execution Route deployment inputs through environment variables and replace remote installer pipes with checksum-verified Syft archives. Consolidate workflow permissions so deployment validation can run. Addresses #182. * fix(security): resolve remaining Semgrep findings Pin workflow and browser dependencies, remove unsafe evaluation and dynamic query construction, enforce trusted network destinations, harden local containers, and prevent sensitive JWT error logging. Fixes #182. * style(security): format endpoint validation * fix(security): preserve validated URL suppression
…amework mappings, HNDL exposure window and migration roadmap (#187) Signed-off-by: Vishnu Ajith <27vishnu07@gmail.com>
* feat(scanner): add enterprise AKS security rule pack * style(scanner): format AKS rules * ci: document AKS SDK license exception
Two residual issues from #183's merge, found in post-merge review: - toEmbedUrl() validated the host via new URL() but returned the raw input, so an attribute-injection payload on an allowed host (e.g. https://www.youtube.com/embed/abc" onload="alert(1)) passed validation and kept its literal double-quote, breaking out of the iframe src="..." attribute. Now returns parsed.href, which percent-encodes quotes, spaces, and brackets. - The switch to in-memory key storage removed the localStorage write but never purged keys that older builds had already stored, so existing users kept a plaintext ai_api_key indefinitely. Added a one-time purge on module load (not read into memory) and in clear(). Both fixes ship with regression tests confirmed to fail against the pre-fix code and pass against the fix. Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
… badge compliance (#190)
* Add Semgrep SAST to CI alongside CodeQL * Add non-root USER to Dockerfile to satisfy Semgrep gate * Document Dockerfile hardening intent and Semgrep registry dependency * Remove issue reference from Dockerfile comment
…163) * fix(scanner): resolve COR-001-004 scanner correctness issues (#151) * fix(scanner): normalise Azure SDK enum fields in AZ-NET-003 and AZ-DB-002 Addresses review feedback on PR #163: - Add a shared enum_str() helper in azure_client.py that safely unwraps Azure SDK enum fields via .value, since str(enum_member) yields e.g. 'SecurityRuleDirection.INBOUND' rather than 'Inbound' and silently breaks naive string comparisons against real SDK objects. - AZ-NET-003: normalise direction, access, and source_address_prefix through enum_str() so real SecurityRuleDirection/SecurityRuleAccess enum values are detected correctly, not just plain-string mocks. - AZ-DB-002: normalise the auditing policy state through enum_str() so a real BlobAuditingPolicyState.ENABLED value is not mistaken for disabled (false positive) or vice versa. - AZ-DB-002: malformed ARM IDs are now logged explicitly instead of silently skipped. - AZ-NET-003: the matched plural source_address_prefixes entry is now included in finding metadata. - Add regression tests using real azure-mgmt-network / azure-mgmt-sql SDK model classes (SecurityRule, SecurityRuleDirection, SecurityRuleAccess, ServerBlobAuditingPolicy, BlobAuditingPolicyState) rather than only SimpleNamespace/string-backed mocks, per SHAURYAKSHARMA24's review. - Sync branch with upstream dev (v0.3.0) and apply current ruff format gate, per ritiksah141's review. * fix: remove duplicate _diagnostic_settings init line --------- Co-authored-by: safidnadaf <safidnadaf@users.noreply.github.com>
…ules (#197) * feat(scanner): add enterprise identity security pack * docs(compliance): use numbered TBD identity placeholders
Vishnu2707
requested review from
SHAURYAKSHARMA24,
TFT444,
parthrohit22,
ritiksah141 and
vogonPrayas
as code owners
July 18, 2026 00:37
Vishnu2707
removed request for
SHAURYAKSHARMA24,
TFT444,
parthrohit22,
ritiksah141 and
vogonPrayas
July 18, 2026 00:38
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
TFT444
previously approved these changes
Jul 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Core features added to the backend and deployment pipelines, CODEQL has been disabled instead sem.dev is added in for the check within the pipeline.