fix(iwooos): surface security governance review
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
This commit is contained in:
@@ -50,6 +50,32 @@ def load_latest_iwooos_security_control_coverage(
|
||||
|
||||
domains = _build_domains(snapshots)
|
||||
summary = _build_summary(snapshots, domains)
|
||||
p0_next_actions = _build_p0_next_actions()
|
||||
professional_review = _build_professional_security_governance_review(
|
||||
summary,
|
||||
domains,
|
||||
p0_next_actions,
|
||||
)
|
||||
summary.update(
|
||||
{
|
||||
"professional_review_finding_count": len(
|
||||
professional_review["root_cause_summary"]
|
||||
),
|
||||
"professional_review_p0_work_item_count": len(
|
||||
professional_review["priority_work_items"]
|
||||
),
|
||||
"external_security_tool_track_count": len(
|
||||
professional_review["security_tool_integration_matrix"]
|
||||
),
|
||||
"ai_security_automation_stage_count": len(
|
||||
professional_review["ai_automation_closure_loop"]
|
||||
),
|
||||
"full_scope_contract_count": len(professional_review["scope_contract"]),
|
||||
"ui_ux_control_room_requirement_count": len(
|
||||
professional_review["ui_ux_control_room_requirements"]
|
||||
),
|
||||
}
|
||||
)
|
||||
|
||||
return {
|
||||
"schema_version": _SCHEMA_VERSION,
|
||||
@@ -57,7 +83,8 @@ def load_latest_iwooos_security_control_coverage(
|
||||
"mode": "committed_snapshot_rollup_only_no_live_runtime_query",
|
||||
"summary": summary,
|
||||
"domains": domains,
|
||||
"p0_next_actions": _build_p0_next_actions(),
|
||||
"professional_review": professional_review,
|
||||
"p0_next_actions": p0_next_actions,
|
||||
"no_false_green_rules": [
|
||||
"納管覆蓋總表只代表 committed snapshot 可讀,不代表所有主機已被 Wazuh manager registry 驗收。",
|
||||
"route 200、transport observed、UI 可見、一般工作批准都不能當成 runtime 授權。",
|
||||
@@ -361,37 +388,259 @@ def _build_p0_next_actions() -> list[dict[str, str]]:
|
||||
return [
|
||||
{
|
||||
"priority": "P0-01",
|
||||
"title": "Wazuh manager registry 全主機交叉驗收",
|
||||
"required_evidence": "manager registry、agent status、dashboard API / RBAC / TLS readback、缺席主機 owner decision。",
|
||||
"title": "全域資安完成口徑與 owner closure",
|
||||
"required_evidence": "每個主機、服務、產品、網站、工具、套件與 AI Agent 都要有 scope、owner、risk、verifier、runtime acceptance 欄位;UI / API / CD 綠燈不得算完成。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-02",
|
||||
"title": "Host / Docker / systemd live hash 與維護窗口",
|
||||
"required_evidence": "live config hash、restart window、rollback owner、post-check 指標、drift disposition。",
|
||||
"title": "全資產 / 全主機 / 全服務 scope truth",
|
||||
"required_evidence": "Gitea source truth、runtime surface inventory、host/service live hash、公開入口、runner、backup、AI tool 權限與缺口清單;不得用單一 dashboard 代表全域。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-03",
|
||||
"title": "Nginx / 公開入口 / Firewall 變更控管",
|
||||
"required_evidence": "脫敏 live conf export、rendered diff、nginx -t、route smoke、actor before / after。",
|
||||
"title": "Wazuh manager registry、FIM、弱點與告警 receipt",
|
||||
"required_evidence": "manager registry parity、agent active/disconnected rollup、FIM baseline、vulnerability detection rollup、alert sample receipt、TLS/RBAC readback、缺席主機 decision。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-04",
|
||||
"title": "監控告警卡片化與 receipt",
|
||||
"required_evidence": "可讀卡片格式、receiver route、Telegram / webhook receipt、silence / dedup / inhibit review。",
|
||||
"title": "Host / Docker / systemd 入侵與鑑識基線",
|
||||
"required_evidence": "auth、sudo、process、network、persistence、package、service、Docker event 的脫敏 readback;所有 remediation 先進 check-mode、rollback、post-verifier。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-05",
|
||||
"title": "AI Agent runtime write gate",
|
||||
"required_evidence": "allowlist、check-mode、rollback、verifier、KM / PlayBook trust;付費 provider / replacement 另需 replay / shadow / canary。",
|
||||
"title": "Nginx / Gateway / SSH / Firewall / K8s network",
|
||||
"required_evidence": "source-to-live diff、nginx -t 或等價檢核、route smoke、before/after actor、NetworkPolicy / firewall diff、rollback owner。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-06",
|
||||
"title": "agent-bounty-protocol 安全納管",
|
||||
"required_evidence": "repo refs truth、data classification、MCP / A2A abuse boundary、deployment boundary、owner acceptance。",
|
||||
"title": "Web / API / AppSec / webhook 防護",
|
||||
"required_evidence": "auth、authorization、session、rate limit、CORS、security headers、webhook abuse case、ASVS mapping、desktop/mobile smoke 與 no sensitive copy。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-07",
|
||||
"title": "套件 / container / workflow supply-chain",
|
||||
"required_evidence": "SBOM、lockfile diff、image scan、KEV/EPSS priority、runner/workflow diff、artifact provenance、signature verification、package SLA。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-08",
|
||||
"title": "SIEM / SOAR / Monitoring 告警閉環",
|
||||
"required_evidence": "Wazuh / Alertmanager / Telegram / OCSF / Sigma normalized event、dedupe、noise budget、case id、receiver receipt、operator acknowledgment。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-09",
|
||||
"title": "Backup / restore / forensic retention",
|
||||
"required_evidence": "restore drill、offsite/escrow、chain of custody、retention policy、backup freshness、rollback proof、post-restore smoke。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-10",
|
||||
"title": "AI Agent / MCP / RAG permission gate",
|
||||
"required_evidence": "tool allowlist、prompt redaction、secret boundary、RAG source trust、MCP connector scope、cost cap、replay/shadow/canary、KM / PlayBook writeback。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-11",
|
||||
"title": "AISOC 管理者 UI / UX 控制室",
|
||||
"required_evidence": "單一風險地圖、目前 P0、blocked reason、next executable action、tool coverage、host/service/product/package drilldown;避免以大段文字取代狀態。",
|
||||
},
|
||||
{
|
||||
"priority": "P0-12",
|
||||
"title": "Controlled apply deployment 與 production readback",
|
||||
"required_evidence": "target selector、source-of-truth diff、check-mode/dry-run、rollback、post-apply verifier、runtime readback、KM / PlayBook trust、deploy marker。",
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
def _build_professional_security_governance_review(
|
||||
summary: dict[str, Any],
|
||||
domains: list[dict[str, Any]],
|
||||
priority_work_items: list[dict[str, str]],
|
||||
) -> dict[str, Any]:
|
||||
runtime_acceptance = _as_int(summary.get("actual_runtime_acceptance_percent"))
|
||||
owner_accepted = _as_int(summary.get("owner_response_accepted_count"))
|
||||
runtime_gate_count = _as_int(summary.get("runtime_gate_count"))
|
||||
visible_scope_count = _as_int(summary.get("visible_scope_unit_count"))
|
||||
domain_count = len(domains)
|
||||
|
||||
root_causes = [
|
||||
{
|
||||
"finding_id": "F01",
|
||||
"severity": "P0",
|
||||
"title": "控制面可視不等於 runtime 防護生效",
|
||||
"current_evidence": (
|
||||
f"已可讀 {visible_scope_count} 個納管單位與 {domain_count} 個控制域;"
|
||||
f"runtime acceptance 仍為 {runtime_acceptance}%。"
|
||||
),
|
||||
"required_closure": "每個 control domain 必須補 live/public-safe readback、post-verifier 與 accepted runtime gate。",
|
||||
},
|
||||
{
|
||||
"finding_id": "F02",
|
||||
"severity": "P0",
|
||||
"title": "完成定義混用了 UI / API / CD 成功與資安完成",
|
||||
"current_evidence": "Dashboard 200、frontend visible、CD success、route smoke 只能算 delivery evidence。",
|
||||
"required_closure": "把 delivery evidence 與 security runtime acceptance 拆開顯示,所有綠燈必須附 source、runtime、verifier 三段證據。",
|
||||
},
|
||||
{
|
||||
"finding_id": "F03",
|
||||
"severity": "P0",
|
||||
"title": "Wazuh 已有 registry snapshot,但尚未形成偵測與回應閉環",
|
||||
"current_evidence": "Manager registry accepted 可以計數,但 live metadata、FIM、弱點 rollup、alert receipt 與 active-response gate 仍是不同閉環。",
|
||||
"required_closure": "先完成 Wazuh registry parity、FIM / vulnerability readback、alert receipt,再讓 active response 保持 gated candidate。",
|
||||
},
|
||||
{
|
||||
"finding_id": "F04",
|
||||
"severity": "P0",
|
||||
"title": "主機、服務、產品、網站、工具與套件缺少同一張優先序",
|
||||
"current_evidence": "既有 domain 涵蓋資產、主機、監控、網路、runtime、Wazuh、產品與 AI Agent,但套件 / 網站 / 工具閉環沒有集中成同一條順序。",
|
||||
"required_closure": "用同一個 P0 list 管理 hosts, services, products, websites, tools, packages and AI automation,不再讓支線互相搶主線。",
|
||||
},
|
||||
{
|
||||
"finding_id": "F05",
|
||||
"severity": "P0",
|
||||
"title": "AI Agent 自動化還沒有變成可執行的安全閉環",
|
||||
"current_evidence": "AI assets are inventoried, while runtime write gates and action buttons remain closed.",
|
||||
"required_closure": "每個 AI action 必須有 tool allowlist、source diff、check-mode、rollback、post-verifier、cost/privacy gate 與 learning writeback。",
|
||||
},
|
||||
{
|
||||
"finding_id": "F06",
|
||||
"severity": "P1",
|
||||
"title": "管理者 UI 仍偏文字報告,不是 AISOC 控制台",
|
||||
"current_evidence": "The current board exposes correct boundaries but does not yet compress risk, blockers, next action and tool coverage into one glance.",
|
||||
"required_closure": "新增風險地圖、P0 queue、tool coverage、blocked reason、next executable action and drilldown,讓文字退到 details。",
|
||||
},
|
||||
]
|
||||
|
||||
tool_matrix = [
|
||||
{
|
||||
"tool_id": "wazuh",
|
||||
"priority": "P0",
|
||||
"role": "XDR / SIEM, agent registry, FIM, vulnerability detection, alert normalization",
|
||||
"integration_state": "partial_registry_readback_runtime_gate_closed",
|
||||
"required_closure": "registry parity、FIM baseline、vulnerability rollup、alert receipt、SOAR candidate gate。",
|
||||
},
|
||||
{
|
||||
"tool_id": "trivy",
|
||||
"priority": "P0",
|
||||
"role": "container image, filesystem, IaC, dependency and SBOM vulnerability scanning",
|
||||
"integration_state": "required_not_closed",
|
||||
"required_closure": "CI/check-mode scan、KEV/EPSS priority、artifact report、no-secret output guard。",
|
||||
},
|
||||
{
|
||||
"tool_id": "syft_grype",
|
||||
"priority": "P0",
|
||||
"role": "SBOM generation and vulnerability matching for packages and images",
|
||||
"integration_state": "required_not_closed",
|
||||
"required_closure": "SPDX/CycloneDX SBOM、lockfile diff、package SLA、VEX / accepted-risk register。",
|
||||
},
|
||||
{
|
||||
"tool_id": "openssf_scorecard",
|
||||
"priority": "P1",
|
||||
"role": "source, build, dependency, testing and maintenance risk scoring",
|
||||
"integration_state": "required_not_closed",
|
||||
"required_closure": "Gitea/source-side hygiene mapping、branch protection equivalent、dependency/update policy readback。",
|
||||
},
|
||||
{
|
||||
"tool_id": "kyverno_cosign",
|
||||
"priority": "P1",
|
||||
"role": "Kubernetes policy, image signature and attestation verification",
|
||||
"integration_state": "required_when_k8s_runtime_gate_opens",
|
||||
"required_closure": "policy check-mode、image verification、exception register、rollback and post-apply verifier。",
|
||||
},
|
||||
{
|
||||
"tool_id": "falco",
|
||||
"priority": "P1",
|
||||
"role": "runtime threat detection for Linux and Kubernetes workloads",
|
||||
"integration_state": "required_not_closed",
|
||||
"required_closure": "read-only rule dry-run、event redaction、Wazuh/OCSF correlation、no auto-block until reviewer gate。",
|
||||
},
|
||||
{
|
||||
"tool_id": "owasp_zap_or_equivalent_dast",
|
||||
"priority": "P1",
|
||||
"role": "web/API dynamic testing with bounded scope",
|
||||
"integration_state": "controlled_scan_required",
|
||||
"required_closure": "explicit target selector、rate limit、test window、baseline scan, no credentialed attack unless break-glass approved。",
|
||||
},
|
||||
{
|
||||
"tool_id": "sigma_ocsf",
|
||||
"priority": "P1",
|
||||
"role": "portable detection rules and normalized event schema",
|
||||
"integration_state": "required_for_ai_triage_quality",
|
||||
"required_closure": "map Wazuh / Alertmanager / app events into normalized cards and regression-test false positives。",
|
||||
},
|
||||
]
|
||||
|
||||
scope_contract = [
|
||||
{"scope_id": "hosts", "included": True, "closure_signal": "agent / process / service / network readback"},
|
||||
{"scope_id": "services", "included": True, "closure_signal": "systemd / Docker / API health and config hash"},
|
||||
{"scope_id": "products", "included": True, "closure_signal": "owner, data classification, route and deploy boundary"},
|
||||
{"scope_id": "websites", "included": True, "closure_signal": "desktop/mobile smoke, headers, auth and webhook abuse review"},
|
||||
{"scope_id": "tools", "included": True, "closure_signal": "security tool health, version, rule pack and output redaction"},
|
||||
{"scope_id": "packages", "included": True, "closure_signal": "SBOM, lockfile diff, vulnerability SLA and provenance"},
|
||||
{"scope_id": "ai_agents", "included": True, "closure_signal": "tool allowlist, MCP/RAG trust, replay/shadow/canary"},
|
||||
{"scope_id": "runtime_actions", "included": True, "closure_signal": "target selector, check-mode, rollback and verifier"},
|
||||
]
|
||||
|
||||
ai_loop = [
|
||||
{"stage_id": "collect", "gate": "public_safe_readback_only", "runtime_write": False},
|
||||
{"stage_id": "normalize", "gate": "redaction_and_schema_guard", "runtime_write": False},
|
||||
{"stage_id": "triage", "gate": "severity_scope_confidence_scoring", "runtime_write": False},
|
||||
{"stage_id": "plan", "gate": "target_selector_source_diff_check_mode_rollback", "runtime_write": False},
|
||||
{"stage_id": "apply", "gate": "allowlisted_controlled_apply_only", "runtime_write": runtime_gate_count > 0},
|
||||
{"stage_id": "verify", "gate": "post_apply_readback_and_no_false_green", "runtime_write": False},
|
||||
{"stage_id": "learn", "gate": "KM_PlayBook_trust_writeback", "runtime_write": False},
|
||||
]
|
||||
|
||||
ui_requirements = [
|
||||
"one_glance_current_p0_blocker_next_action",
|
||||
"host_service_product_package_tool_coverage_map",
|
||||
"wazuh_registry_fim_vulnerability_alert_receipt_status",
|
||||
"runtime_acceptance_not_confused_with_deploy_success",
|
||||
"ai_agent_action_queue_with_check_mode_verifier_state",
|
||||
"details_only_for_long_boundary_text",
|
||||
]
|
||||
|
||||
acceptance_definition = [
|
||||
"all_scope_items_have_owner_scope_risk_and_verifier",
|
||||
"wazuh_registry_fim_vulnerability_and_alert_receipt_readback_green",
|
||||
"critical_tools_have_health_version_rule_and_redaction_readback",
|
||||
"packages_and_images_have_sbom_vulnerability_and_provenance_receipts",
|
||||
"ai_agent_actions_have_allowlist_check_mode_rollback_post_verifier",
|
||||
"production_dashboard_shows_runtime_acceptance_separate_from_delivery",
|
||||
]
|
||||
|
||||
return {
|
||||
"schema_version": "iwooos_security_governance_professional_review_v1",
|
||||
"status": "review_updated_runtime_closure_required",
|
||||
"review_scope_statement": (
|
||||
"Covers hosts, services, products, websites, tools, packages, security tools, "
|
||||
"runtime actions, AI Agents, MCP/RAG and production readback."
|
||||
),
|
||||
"completion_diagnosis": {
|
||||
"control_plane_visibility_percent": _as_int(
|
||||
summary.get("control_plane_visibility_percent")
|
||||
),
|
||||
"actual_runtime_acceptance_percent": runtime_acceptance,
|
||||
"owner_response_accepted_count": owner_accepted,
|
||||
"runtime_gate_count": runtime_gate_count,
|
||||
"visible_scope_unit_count": visible_scope_count,
|
||||
"control_domain_count": domain_count,
|
||||
"diagnosis": "control_plane_exists_runtime_security_closure_not_complete",
|
||||
},
|
||||
"root_cause_summary": root_causes,
|
||||
"scope_contract": scope_contract,
|
||||
"priority_work_items": priority_work_items,
|
||||
"security_tool_integration_matrix": tool_matrix,
|
||||
"ai_automation_closure_loop": ai_loop,
|
||||
"ui_ux_control_room_requirements": ui_requirements,
|
||||
"acceptance_definition": acceptance_definition,
|
||||
"boundaries": {
|
||||
"secret_value_collection_allowed": False,
|
||||
"raw_session_or_sqlite_read_allowed": False,
|
||||
"active_scan_without_target_selector_allowed": False,
|
||||
"auto_block_without_reviewer_allowed": False,
|
||||
"runtime_write_without_post_verifier_allowed": False,
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
def _summary_int(snapshot: dict[str, Any], key: str) -> int:
|
||||
return _as_int((snapshot.get("summary") or {}).get(key))
|
||||
|
||||
|
||||
Reference in New Issue
Block a user