Benjamin_Boenisch/breakpilot-lehrer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9912997187c1e31943894146ac773aad5d85c947
breakpilot-lehrer/website/components/admin/system-info-configs/security-config.ts
Benjamin Boenisch 5a31f52310 Initial commit: breakpilot-lehrer - Lehrer KI Platform 
Services: Admin-Lehrer, Backend-Lehrer, Studio v2, Website,
Klausur-Service, School-Service, Voice-Service, Geo-Service,
BreakPilot Drive, Agent-Core

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 23:47:26 +01:00

201 lines
11 KiB
TypeScript
Raw Blame History

import type { SystemInfoConfig } from './types'
export const securityConfig: SystemInfoConfig = {
title: 'Security System-Info',
description: 'DevSecOps Dashboard mit Vulnerability Scanning und Compliance Checks.',
version: '2.0',
privacyNotes: [
'Automatische CVE-Pruefung aller Dependencies',
'OWASP Top 10 Compliance',
'Container Security Scanning',
'Secret Detection in Code',
],
architecture: {
layers: [
{ title: 'Security Dashboard', components: ['Vulnerability Overview', 'Compliance Status', 'Alerts'], color: '#ef4444' },
{ title: 'Scanners', components: ['Trivy', 'Semgrep', 'Gitleaks', 'OWASP ZAP'], color: '#8b5cf6' },
{ title: 'CI/CD Integration', components: ['GitHub Actions', 'Pre-commit Hooks', 'PR Checks'], color: '#10b981' },
{ title: 'Reporting', components: ['SARIF', 'SBOM', 'Audit Reports'], color: '#f59e0b' },
],
},
features: [
{ name: 'Vulnerability Scanning', status: 'active', description: 'Automatische CVE-Pruefung' },
{ name: 'SBOM Generation', status: 'active', description: 'Software Bill of Materials' },
{ name: 'Secret Detection', status: 'active', description: 'Gitleaks Integration' },
{ name: 'DAST Scanning', status: 'planned', description: 'Dynamic Application Security Testing' },
{ name: 'Penetration Testing', status: 'planned', description: 'Automatisierte Pen-Tests' },
],
roadmap: [
{ phase: 'Phase 1: SAST (Q1)', priority: 'high', items: ['Semgrep Rules', 'CodeQL Integration', 'Custom Rules', 'False Positive Management'] },
{ phase: 'Phase 2: Runtime (Q2)', priority: 'high', items: ['Runtime Protection', 'WAF Integration', 'Anomaly Detection', 'Incident Response'] },
{ phase: 'Phase 3: Compliance (Q3)', priority: 'medium', items: ['SOC 2 Readiness', 'ISO 27001 Mapping', 'GDPR Technical Measures', 'Audit Automation'] },
],
technicalDetails: [
{ component: 'Container Scan', technology: 'Trivy', version: '0.50+', description: 'Image Vulnerabilities' },
{ component: 'SAST', technology: 'Semgrep', version: '1.x', description: 'Code Analysis' },
{ component: 'Secrets', technology: 'Gitleaks', version: '8.x', description: 'Secret Detection' },
{ component: 'SBOM', technology: 'CycloneDX', version: '1.5', description: 'Dependency List' },
],
auditInfo: [
{
category: 'Vulnerability Status',
items: [
{ label: 'Kritische CVEs', value: '0', status: 'ok' },
{ label: 'Hohe CVEs', value: '0', status: 'ok' },
{ label: 'Mittlere CVEs', value: 'Tracking', status: 'warning' },
{ label: 'Letzte Pruefung', value: 'Taeglich', status: 'ok' },
],
},
{
category: 'Compliance',
items: [
{ label: 'OWASP Top 10', value: 'Geprueft', status: 'ok' },
{ label: 'Secret Detection', value: 'Aktiv', status: 'ok' },
{ label: 'Container Hardening', value: 'Umgesetzt', status: 'ok' },
{ label: 'Dependency Updates', value: 'Woechentlich', status: 'ok' },
],
},
{
category: 'Monitoring',
items: [
{ label: 'Echtzeit-Alerts', value: 'Aktiviert', status: 'ok' },
{ label: 'SIEM Integration', value: 'Geplant', status: 'warning' },
{ label: 'Penetration Tests', value: 'Quartalsweise', status: 'ok' },
{ label: 'Bug Bounty', value: 'In Planung', status: 'warning' },
],
},
],
fullDocumentation: `
<h2>Security & DevSecOps Dashboard</h2>
<h3>1. Uebersicht</h3>
<p>Das Security-Modul integriert Sicherheitspruefungen in den gesamten Entwicklungs- und Deployment-Prozess (DevSecOps). Es kombiniert statische Analyse, Container-Scanning und Laufzeitschutz.</p>
<h3>2. Security-Tools</h3>
<table>
<tr><th>Tool</th><th>Kategorie</th><th>Funktion</th><th>Integration</th></tr>
<tr><td>Trivy</td><td>Container</td><td>Image Vulnerability Scanning</td><td>CI/CD</td></tr>
<tr><td>Semgrep</td><td>SAST</td><td>Code Pattern Matching</td><td>Pre-commit, CI</td></tr>
<tr><td>Gitleaks</td><td>Secrets</td><td>Credential Detection</td><td>Pre-commit, CI</td></tr>
<tr><td>OWASP ZAP</td><td>DAST</td><td>Web App Scanning</td><td>Staging</td></tr>
</table>
<h3>3. Scanning-Pipeline</h3>
<pre>
┌─────────────────────────────────────────────────────────────────────┐
│ Development Phase │
├─────────────────────────────────────────────────────────────────────┤
│ Pre-commit Hooks │
│ ├── Gitleaks (Secrets) │
│ ├── Semgrep (Quick Rules) │
│ └── Formatting/Linting │
└─────────────────────────────────────────────────────────────────────┘
v
┌─────────────────────────────────────────────────────────────────────┐
│ CI Pipeline │
├─────────────────────────────────────────────────────────────────────┤
│ ├── Full SAST Scan (Semgrep) │
│ ├── Dependency Check (npm audit, go vuln) │
│ ├── Container Scan (Trivy) │
│ ├── SBOM Generation (Syft) │
│ └── License Compliance │
└─────────────────────────────────────────────────────────────────────┘
v
┌─────────────────────────────────────────────────────────────────────┐
│ Staging/Prod │
├─────────────────────────────────────────────────────────────────────┤
│ ├── DAST Scan (OWASP ZAP) │
│ ├── Runtime Protection │
│ └── Anomaly Detection │
└─────────────────────────────────────────────────────────────────────┘
</pre>
<h3>4. OWASP Top 10 Abdeckung</h3>
<table>
<tr><th>#</th><th>Risiko</th><th>Massnahme</th><th>Status</th></tr>
<tr><td>A01</td><td>Broken Access Control</td><td>RBAC, JWT Validation</td><td>✓</td></tr>
<tr><td>A02</td><td>Cryptographic Failures</td><td>TLS 1.3, AES-256</td><td>✓</td></tr>
<tr><td>A03</td><td>Injection</td><td>Parameterized Queries, Input Validation</td><td>✓</td></tr>
<tr><td>A04</td><td>Insecure Design</td><td>Threat Modeling, Code Review</td><td>✓</td></tr>
<tr><td>A05</td><td>Security Misconfiguration</td><td>Hardened Defaults, IaC Scanning</td><td>✓</td></tr>
<tr><td>A06</td><td>Vulnerable Components</td><td>Dependency Scanning, SBOM</td><td>✓</td></tr>
<tr><td>A07</td><td>Auth Failures</td><td>MFA, Session Management</td><td>✓</td></tr>
<tr><td>A08</td><td>Software Integrity</td><td>Signed Commits, SBOM</td><td>✓</td></tr>
<tr><td>A09</td><td>Logging Failures</td><td>Structured Logging, Audit Trail</td><td>✓</td></tr>
<tr><td>A10</td><td>SSRF</td><td>URL Validation, Network Policies</td><td>✓</td></tr>
</table>
<h3>5. Vulnerability Management</h3>
<pre>
CVE Discovered
v
┌───────────────────┐
│ Severity Rating │
│ Critical/High/Med │
└─────────┬─────────┘
┌─────┴─────┐
│ Critical? │
└─────┬─────┘
Yes │ No
│ └──> Backlog mit Frist
v
┌───────────────────┐
│ Immediate Action │
│ - Block Deploy │
│ - Notify Team │
│ - Hotfix Branch │
└───────────────────┘
</pre>
<h3>6. Secret Management</h3>
<ul>
<li><strong>Speicherung:</strong> Doppler/Vault fuer Secrets</li>
<li><strong>Rotation:</strong> Automatisch alle 90 Tage</li>
<li><strong>Detection:</strong> Gitleaks in Pre-commit und CI</li>
<li><strong>Notfall:</strong> Sofortige Rotation bei Leak</li>
</ul>
<h3>7. Container Security</h3>
<table>
<tr><th>Massnahme</th><th>Implementation</th></tr>
<tr><td>Base Images</td><td>Alpine/Distroless, regelmaessig aktualisiert</td></tr>
<tr><td>Non-root User</td><td>Alle Container als non-root</td></tr>
<tr><td>Read-only FS</td><td>Wo moeglich aktiviert</td></tr>
<tr><td>Resource Limits</td><td>CPU/Memory Limits gesetzt</td></tr>
<tr><td>Network Policies</td><td>Kubernetes NetworkPolicy</td></tr>
</table>
<h3>8. Incident Response</h3>
<ol>
<li><strong>Detection:</strong> Automatische Alerts, Monitoring</li>
<li><strong>Triage:</strong> Schweregrad-Bewertung, Scope</li>
<li><strong>Containment:</strong> Isolation, Zugriffssperre</li>
<li><strong>Eradication:</strong> Ursachenbehandlung</li>
<li><strong>Recovery:</strong> Wiederherstellung, Monitoring</li>
<li><strong>Lessons Learned:</strong> Post-Mortem, Verbesserungen</li>
</ol>
<h3>9. Compliance-Reports</h3>
<p>Automatisch generierte Reports:</p>
<ul>
<li>Woechentlich: Vulnerability Summary</li>
<li>Monatlich: Compliance Status, SBOM</li>
<li>Quartalsweise: Penetration Test Results</li>
<li>Jaehrlich: Security Audit Report</li>
</ul>
<h3>10. Metriken</h3>
<table>
<tr><th>Metrik</th><th>Ziel</th><th>Messung</th></tr>
<tr><td>Mean Time to Remediate (Critical)</td><td>&lt; 24h</td><td>Automatisch</td></tr>
<tr><td>Mean Time to Remediate (High)</td><td>&lt; 7 Tage</td><td>Automatisch</td></tr>
<tr><td>Scan Coverage</td><td>100%</td><td>CI Pipeline</td></tr>
<tr><td>False Positive Rate</td><td>&lt; 10%</td><td>Review</td></tr>
</table>
`,
}
Reference in New Issue View Git Blame Copy Permalink