Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
1,571 Commits 36 Branches 1 Tag
da466b3821d0b65b767b7c04a130bbe8b5ab0005
Commit Graph

4 Commits

Author SHA1 Message Date
Benjamin Admin 8609b696c9 fix(ucca): CM-7 repo_scan is required evidence for attack_surface_minimization
CI / detect-changes (push) Successful in 12s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / build-sha-integrity (push) Successful in 7s
Details
CI / validate-canonical-controls (push) Successful in 5s
Details
CI / loc-budget (push) Successful in 18s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Has been skipped
Details
CI / test-go (push) Successful in 59s
Details
CI / iace-gt-coverage (push) Successful in 19s
Details
CI / test-python-backend (push) Has been skipped
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details 
evidence_required lists only required:true rows; repo_scan was required:false so
attack_surface_minimization surfaced config_export alone. An attack-surface scan
IS required to evidence a minimized attack surface. Adds a test pinning the curated
evidence_required set per NIST obligation (the table test only checked control count).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-26 09:42:12 +02:00
Benjamin Admin fdaf547b06 feat(ucca): re-point NIST primary_implementation to CORE obligations (#6) 
Registry materialized the generic CORE security objectives (#5b, Modell C), so
the two broad NIST controls now point at their canonical parents instead of the
domain-scoped matches:
  SI-7 -> software_integrity_protection  (CORE, Annex I (2)(f))
  CM-7 -> attack_surface_minimization    (CORE, Annex I (2)(j))
Non-breaking: the domain-scoped obligations stay valid and specialize the CORE.

SI-7 evidence = sbom + config_export (SBOM evidences component/supply-chain
integrity; config = signing/secure-boot). Export proposed_obligation_id + handler
test (2 CORE cases) updated. go test green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-26 09:35:46 +02:00
Benjamin Admin f6c5f4e0a9 fix(ucca): SI-2 evidence = config_export + test_report 
Aligns provide_security_updates -> SI-2 evidence to the curated acceptance set:
config_export (secure-update mechanism config) + test_report (patch verification).
For "provide updates" the patch-verification test is more on-point than a vuln
scan; repo_scan stays on CM-7 for attack-surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-26 00:26:29 +02:00
Benjamin Admin 63d65af41b feat(ucca): persist 3 CRA->NIST mappings (primary_implementation) + evidence 
CRA Annex I Part I (2)(e)/(2)(l)/(2)(i) had no clean OWASP target (rejected:
"Mapping ueber NIST/BSI erforderlich"). Their NIST home, curated + accepted:
  (2)(e) Integritaet     -> SI-7 (Software/Firmware/Information Integrity)
  (2)(l) Sichere Updates -> SI-2 (Flaw Remediation)
  (2)(i) Angriffsflaeche -> CM-7 (Least Functionality)

New mapping_type=primary_implementation = the single canonical control per
obligation (stronger than implements/supports); related controls (SC-3(3),
RA-5, AC-6, SI-16, ...) follow later as supports.

Evidence is framework-AGNOSTIC: SI-7/SI-2/CM-7 reuse the shared evidence_type
catalog (config_export/test_report/repo_scan) - same types carry CRA, NIST,
ISO 27001, IEC 62443, BSI. (framework,control) is only the link, not the type.

obligation_id left empty: the Obligation Registry assigns it (exported via
controls_for_obligation_mapping.json), then we adopt. go test ./internal/ucca green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 18:52:35 +02:00