Skip to content

Compliance-as-code: control→regulation mapping + ITGC-SEC-06 remediation with CI gate#265

Open
devin-ai-integration[bot] wants to merge 2 commits into
devin/1781883529-group-audit-demo-kitfrom
devin/1782907911-gpn-compliance-as-code
Open

Compliance-as-code: control→regulation mapping + ITGC-SEC-06 remediation with CI gate#265
devin-ai-integration[bot] wants to merge 2 commits into
devin/1781883529-group-audit-demo-kitfrom
devin/1782907911-gpn-compliance-as-code

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jul 1, 2026

Copy link
Copy Markdown

Summary

Compliance-as-code demo for a payments customer (Global Payments). Maps this repo's
FINOS-Common-Cloud-Controls-style RACM (audit/racm.yaml) to payments regulations, re-performs
every control against the real code, then remediates one high-severity FAIL and wires it into CI
as a gate. Based on devin/1781883529-group-audit-demo-kit so the audit ontology is present and
the diff is minimal.

1. Control-to-regulation matrixaudit/compliance/gpn_control_mapping.md
Maps all 11 RACM controls to PCI DSS 4.0 / SOX (ICFR) / GDPR, each with control_id, regulation
refs, nature, PASS/FAIL result, and file:line evidence from the code. Baseline: 10 FAIL, 1 PARTIAL.
High-severity FAILs: APP-TXN-01, APP-TXN-02, APP-TXN-03, ITGC-SEC-06, ITGC-CM-07.

2. Remediation of ITGC-SEC-06 (Credential & secrets management)
Maps to PCI DSS 4.0 Req 8.6.2 (no hard-coded passwords in property files), Req 2.2 / 3.x,
SOX ICFR, GDPR Art. 32. DB credentials externalized from application.properties:

- spring.datasource.username=root
- spring.datasource.password=Test@123
+ spring.datasource.username=${SPRING_DATASOURCE_USERNAME:root}
+ spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}   # no in-source default by design

CredentialManagementControlTest re-performs the control (plain JUnit, no Spring/DB): parses
application.properties and fails unless every secret-bearing property is a bare ${ENV} reference
(rejects literals and inline ${PW:default} fallbacks), and asserts Test@123 no longer appears.

3. CI gate.github/workflows/compliance-gate.yml + audit/compliance/ci/check_committed_secrets.sh
Runs on every push/PR: a fast bash secret-scan followed by the JUnit control re-performance. Fails the
build if the control regresses (a secret is re-committed), mirroring the CCM model in
audit/ccm/continuous-controls-monitoring.md.

Verification

  • ./mvnw clean test → 4 tests pass (existing contextLoads() + 3 new control tests); app boots with
    env-injected credentials (Hikari connects to MySQL).
  • Bash gate: PASS [ITGC-SEC-06]. Negative checks confirmed: reintroducing Test@123 or a
    ${PW:default} fallback fails both the script and the test.

Scope

Minimal and focused — no broad refactor. The other 9 FAIL / 1 PARTIAL controls remain documented (not
fixed) in the mapping for the auditor to conclude on.

Link to Devin session: https://app.devin.ai/sessions/76129a35537f46f4a773fd16c8e5a6f2
Requested by: @achalc


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

…C-06 remediation and CI gate

- audit/compliance/gpn_control_mapping.md: RACM controls mapped to PCI DSS 4.0, SOX (ICFR), GDPR with PASS/FAIL and file:line evidence
- Remediate ITGC-SEC-06: externalize DB credentials from application.properties to env (no committed password)
- CredentialManagementControlTest: re-performs ITGC-SEC-06 (proves control now passes)
- .github/workflows/compliance-gate.yml + audit/compliance/ci/check_committed_secrets.sh: CI gate that fails build if a secret is re-committed

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
@achalc achalc self-assigned this Jul 1, 2026
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant