a1980cd12d
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-ai-compliance (push) Successful in 37s
CI / test-python-backend-compliance (push) Successful in 33s
CI / test-python-document-crawler (push) Successful in 23s
CI / test-python-dsms-gateway (push) Successful in 18s
- reporting_handlers.go: uuid.Nil-Check vor Store-Aufruf (→ 400) - reporting_handlers_test.go: 4 MissingTenantID-Tests (PASS) + 4 WithTenant-Tests (SKIP) - docs-src: requirements.md, controls.md, evidence.md, risks.md (je mit API, Schema, Tests) - mkdocs.yml: 4 neue Nav-Einträge + \n-Bug auf Zeile 91 behoben - compliance-kern.md: Link-Hinweise zu Detailseiten ergänzt Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
100 lines
2.6 KiB
Markdown
100 lines
2.6 KiB
Markdown
# Nachweise / Evidence (CP-NAC)
|
|
|
|
Verknüpft Prüfnachweise mit Controls. Unterstützt manuelle Uploads sowie CI/CD-Automatisierung.
|
|
|
|
**Prefix:** `CP-NAC` · **Frontend:** `https://macmini:3007/sdk/evidence`
|
|
**Proxy:** `/api/sdk/v1/compliance/[[...path]]` → `backend-compliance:8002/compliance/...`
|
|
|
|
---
|
|
|
|
## Features
|
|
|
|
- Manuelle Nachweis-Uploads (PDF, ZIP, ...)
|
|
- CI/CD-Integration: Nachweise automatisch via Pipeline erfassen
|
|
- Automatischer Control-Status-Update nach Nachweis-Ingest (`AutoRiskUpdater`)
|
|
- CI-Nachweisstand-Abfrage pro Control
|
|
|
|
---
|
|
|
|
## Nachweistypen
|
|
|
|
`test_results` · `audit_report` · `penetration_test` · `sast` · `dependency_scan` · `sbom` · `container_scan` · `secret_scan` · `code_review`
|
|
|
|
---
|
|
|
|
## Rechtsgrundlage
|
|
|
|
| Artikel | Bezug |
|
|
|---------|-------|
|
|
| Art. 5 Abs. 2 DSGVO | Rechenschaftspflicht |
|
|
| Art. 24 DSGVO | Nachweis der Compliance |
|
|
| Art. 32 DSGVO | Sicherheitsmaßnahmen dokumentieren |
|
|
|
|
---
|
|
|
|
## API Endpoints
|
|
|
|
| Methode | Pfad | Beschreibung |
|
|
|---------|------|--------------|
|
|
| `GET` | `/evidence` | Liste (`control_id`, `evidence_type`, `status`, `page`, `limit`) |
|
|
| `POST` | `/evidence` | Nachweis manuell anlegen |
|
|
| `DELETE` | `/evidence/{id}` | Nachweis löschen |
|
|
| `POST` | `/evidence/upload` | Datei hochladen (PDF, ZIP, ...) |
|
|
| `POST` | `/evidence/collect` | CI/CD-Nachweis automatisch erfassen |
|
|
| `GET` | `/evidence/ci-status` | CI-Nachweisstand für eine Kontrolle |
|
|
|
|
### CI/CD-Integration
|
|
|
|
```json
|
|
POST /evidence/collect
|
|
{
|
|
"control_id": "SDLC-001",
|
|
"evidence_type": "test_results",
|
|
"title": "Pytest Run 2026-03-05",
|
|
"ci_job_id": "gh-actions-12345",
|
|
"artifact_url": "https://github.com/.../artifacts/report.xml"
|
|
}
|
|
```
|
|
|
|
Nach dem Collect wird automatisch der Control-Status aktualisiert (`AutoRiskUpdater`).
|
|
|
|
---
|
|
|
|
## Frontend
|
|
|
|
**URL:** `https://macmini:3007/sdk/evidence`
|
|
|
|
Tabelle mit Nachweis-Einträgen, filterbar nach Control und Typ. Upload-Button für manuelle Nachweise. CI-Status-Badge zeigt automatisierungsgrad pro Control.
|
|
|
|
---
|
|
|
|
## Datenbankschema
|
|
|
|
```sql
|
|
compliance_evidence (
|
|
id UUID PRIMARY KEY,
|
|
control_id VARCHAR REFERENCES compliance_controls(control_id),
|
|
evidence_type VARCHAR, -- test_results/audit_report/...
|
|
title TEXT,
|
|
description TEXT,
|
|
artifact_path TEXT,
|
|
artifact_url TEXT,
|
|
ci_job_id VARCHAR,
|
|
status VARCHAR DEFAULT 'pending',
|
|
collected_at TIMESTAMP,
|
|
created_at TIMESTAMP
|
|
)
|
|
```
|
|
|
|
---
|
|
|
|
## Tests
|
|
|
|
**Testdatei:** `backend-compliance/tests/test_evidence_routes.py`
|
|
**Anzahl Tests:** 11 · **Status:** ✅ alle bestanden (Stand 2026-03-05)
|
|
|
|
```bash
|
|
cd backend-compliance
|
|
python3 -m pytest tests/test_evidence_routes.py -v
|
|
```
|