Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/compliance/policy-opa/assets/soc2-compliance.rego
+++ b/skills/compliance/policy-opa/assets/soc2-compliance.rego
@@ -0,0 +1,107 @@
+package compliance.soc2
+
+import future.keywords.if
+
+# SOC2 CC6.1: Logical and Physical Access Controls
+
+# Deny overly permissive RBAC
+deny[msg] {
+    input.kind == "RoleBinding"
+    input.roleRef.name == "cluster-admin"
+    not startswith(input.subjects[_].name, "system:")
+    msg := {
+        "control": "SOC2 CC6.1",
+        "severity": "high",
+        "violation": sprintf("Overly permissive cluster-admin binding: %v", [input.metadata.name]),
+        "remediation": "Use least-privilege roles instead of cluster-admin",
+    }
+}
+
+# Require authentication for external services
+deny[msg] {
+    input.kind == "Service"
+    input.spec.type == "LoadBalancer"
+    not input.metadata.annotations["auth.required"] == "true"
+    msg := {
+        "control": "SOC2 CC6.1",
+        "severity": "medium",
+        "violation": sprintf("External service without authentication: %v", [input.metadata.name]),
+        "remediation": "Add annotation: auth.required=true",
+    }
+}
+
+# SOC2 CC6.6: Encryption in Transit
+
+# Require TLS for Ingress
+deny[msg] {
+    input.kind == "Ingress"
+    not input.spec.tls
+    msg := {
+        "control": "SOC2 CC6.6",
+        "severity": "high",
+        "violation": sprintf("Ingress without TLS: %v", [input.metadata.name]),
+        "remediation": "Configure spec.tls with valid certificates",
+    }
+}
+
+# Require TLS for LoadBalancer
+deny[msg] {
+    input.kind == "Service"
+    input.spec.type == "LoadBalancer"
+    not input.metadata.annotations["service.beta.kubernetes.io/aws-load-balancer-ssl-cert"]
+    msg := {
+        "control": "SOC2 CC6.6",
+        "severity": "high",
+        "violation": sprintf("LoadBalancer without SSL/TLS: %v", [input.metadata.name]),
+        "remediation": "Add SSL certificate annotation",
+    }
+}
+
+# SOC2 CC6.7: Encryption at Rest
+
+# Require encrypted volumes for confidential data
+deny[msg] {
+    input.kind == "PersistentVolumeClaim"
+    input.metadata.labels["data-classification"] == "confidential"
+    not input.metadata.annotations["volume.beta.kubernetes.io/storage-encrypted"] == "true"
+    msg := {
+        "control": "SOC2 CC6.7",
+        "severity": "high",
+        "violation": sprintf("Unencrypted volume for confidential data: %v", [input.metadata.name]),
+        "remediation": "Enable volume encryption annotation",
+    }
+}
+
+# SOC2 CC7.2: System Monitoring
+
+# Require audit logging for critical systems
+deny[msg] {
+    input.kind == "Deployment"
+    input.metadata.labels["critical-system"] == "true"
+    not has_audit_logging(input)
+    msg := {
+        "control": "SOC2 CC7.2",
+        "severity": "medium",
+        "violation": sprintf("Critical system without audit logging: %v", [input.metadata.name]),
+        "remediation": "Enable audit logging via sidecar or annotations",
+    }
+}
+
+has_audit_logging(resource) {
+    resource.spec.template.metadata.annotations["audit.enabled"] == "true"
+}
+
+# SOC2 CC8.1: Change Management
+
+# Require approval for production changes
+deny[msg] {
+    input.kind == "Deployment"
+    input.metadata.namespace == "production"
+    not input.metadata.annotations["change-request.id"]
+    msg := {
+        "control": "SOC2 CC8.1",
+        "severity": "medium",
+        "violation": sprintf("Production deployment without change request: %v", [input.metadata.name]),
+        "remediation": "Add annotation: change-request.id=CR-XXXX",
+    }
+}