max/ai-sdlc-standards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

AI SDLC Standards: cross-cutting requirements mono repo

Browse Source 
- Security: input validation, SQL injection, auth annotations, secrets, CVE checks
- Architecture: API contract first, service boundaries, breaking change protocol
- DevOps: health checks, structured logging, resource limits, rollback safety
- Cost: resource tagging, auto-scaling limits, storage lifecycle
- Deterministic compliance checker (.tests/check.sh)
- Agent skill for context injection (Cursor, OpenSpec, Claude Code examples)
- Demo with intentional violations
This commit is contained in:
Max Mayfield
2026-03-07 07:31:16 +00:00
commit a7728c6266
14 changed files with 476 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
security/OWNERS Normal file
View File

@@ -0,0 +1 @@
@security-team

54
security/requirements.md Normal file
View File

@@ -0,0 +1,54 @@
# Security Requirements
Phase: implementation
Enforcement: informational (graduating to blocking Q3 2026)
## SEC-001: Input Validation
All external input (API request bodies, query parameters, headers, file uploads) MUST be validated through a schema validator before processing.
**Rule:** No raw request body access in business logic. All endpoints must define and validate against a schema (JSON Schema, protobuf, or framework-equivalent).
**Test:** Grep for direct `request.body` / `req.body` / `getParameter()` usage outside of controller/validation layer.
```
# Bad
String name = request.getParameter("name");
db.query("SELECT * FROM users WHERE name = '" + name + "'");
# Good
ValidatedInput input = validator.validate(request, CreateUserSchema.class);
userService.create(input);
```
## SEC-002: No Raw SQL
All database queries MUST use parameterized queries or an ORM. No string concatenation in SQL statements.
**Rule:** Zero tolerance for SQL string concatenation with user-controlled values.
**Test:** Regex scan for SQL keywords adjacent to string concatenation operators (`+`, `concat`, `format`, `f"`, template literals).
## SEC-003: Authentication Annotations
All new REST endpoints MUST have an explicit auth annotation. No endpoint may be implicitly public.
**Rule:** Every `@RequestMapping`, `@GetMapping`, `@PostMapping` (or equivalent) must be accompanied by `@ReltioSecured` or `@PublicEndpoint`. Missing annotation = violation.
**Test:** AST/regex check that every endpoint method has an auth annotation.
## SEC-004: Secrets in Code
No hardcoded secrets, tokens, passwords, or API keys in source code.
**Rule:** All secrets must come from environment variables, vault, or config service. String literals matching secret patterns are violations.
**Test:** Regex scan for patterns: API keys, JWT tokens, passwords in string literals, base64-encoded credentials.
## SEC-005: Dependency Vulnerability
No new dependencies with known critical/high CVEs.
**Rule:** Any new dependency added to `pom.xml`, `package.json`, `go.mod`, or equivalent must pass a vulnerability scan.
**Test:** Run `npm audit` / `mvn dependency-check:check` / `govulncheck` on changed dependency files.