Compliance-as-code: control→regulation mapping + ITGC-SEC-06 remediation with CI gate#265
Open
devin-ai-integration[bot] wants to merge 2 commits into
Conversation
…C-06 remediation and CI gate - audit/compliance/gpn_control_mapping.md: RACM controls mapped to PCI DSS 4.0, SOX (ICFR), GDPR with PASS/FAIL and file:line evidence - Remediate ITGC-SEC-06: externalize DB credentials from application.properties to env (no committed password) - CredentialManagementControlTest: re-performs ITGC-SEC-06 (proves control now passes) - .github/workflows/compliance-gate.yml + audit/compliance/ci/check_committed_secrets.sh: CI gate that fails build if a secret is re-committed Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Compliance-as-code demo for a payments customer (Global Payments). Maps this repo's
FINOS-Common-Cloud-Controls-style RACM (
audit/racm.yaml) to payments regulations, re-performsevery control against the real code, then remediates one high-severity FAIL and wires it into CI
as a gate. Based on
devin/1781883529-group-audit-demo-kitso the audit ontology is present andthe diff is minimal.
1. Control-to-regulation matrix —
audit/compliance/gpn_control_mapping.mdMaps all 11 RACM controls to PCI DSS 4.0 / SOX (ICFR) / GDPR, each with
control_id, regulationrefs, nature, PASS/FAIL result, and
file:lineevidence from the code. Baseline: 10 FAIL, 1 PARTIAL.High-severity FAILs: APP-TXN-01, APP-TXN-02, APP-TXN-03, ITGC-SEC-06, ITGC-CM-07.
2. Remediation of ITGC-SEC-06 (Credential & secrets management)
Maps to PCI DSS 4.0 Req 8.6.2 (no hard-coded passwords in property files), Req 2.2 / 3.x,
SOX ICFR, GDPR Art. 32. DB credentials externalized from
application.properties:CredentialManagementControlTestre-performs the control (plain JUnit, no Spring/DB): parsesapplication.propertiesand fails unless every secret-bearing property is a bare${ENV}reference(rejects literals and inline
${PW:default}fallbacks), and assertsTest@123no longer appears.3. CI gate —
.github/workflows/compliance-gate.yml+audit/compliance/ci/check_committed_secrets.shRuns on every push/PR: a fast bash secret-scan followed by the JUnit control re-performance. Fails the
build if the control regresses (a secret is re-committed), mirroring the CCM model in
audit/ccm/continuous-controls-monitoring.md.Verification
./mvnw clean test→ 4 tests pass (existingcontextLoads()+ 3 new control tests); app boots withenv-injected credentials (Hikari connects to MySQL).
PASS [ITGC-SEC-06]. Negative checks confirmed: reintroducingTest@123or a${PW:default}fallback fails both the script and the test.Scope
Minimal and focused — no broad refactor. The other 9 FAIL / 1 PARTIAL controls remain documented (not
fixed) in the mapping for the auditor to conclude on.
Link to Devin session: https://app.devin.ai/sessions/76129a35537f46f4a773fd16c8e5a6f2
Requested by: @achalc
Devin Review