AI SDLC Standards: cross-cutting requirements mono repo
- Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations
This commit is contained in:
Max Mayfield
54
security/requirements.md
Normal file
54
security/requirements.md
Normal file
@@ -0,0 +1,54 @@
|
||||
# Security Requirements
|
||||
|
||||
Phase: implementation
|
||||
Enforcement: informational (graduating to blocking Q3 2026)
|
||||
|
||||
## SEC-001: Input Validation
|
||||
|
||||
All external input (API request bodies, query parameters, headers, file uploads) MUST be validated through a schema validator before processing.
|
||||
|
||||
**Rule:** No raw request body access in business logic. All endpoints must define and validate against a schema (JSON Schema, protobuf, or framework-equivalent).
|
||||
|
||||
**Test:** Grep for direct `request.body` / `req.body` / `getParameter()` usage outside of controller/validation layer.
|
||||
|
||||
```
|
||||
# Bad
|
||||
String name = request.getParameter("name");
|
||||
db.query("SELECT * FROM users WHERE name = '" + name + "'");
|
||||
|
||||
# Good
|
||||
ValidatedInput input = validator.validate(request, CreateUserSchema.class);
|
||||
userService.create(input);
|
||||
```
|
||||
|
||||
## SEC-002: No Raw SQL
|
||||
|
||||
All database queries MUST use parameterized queries or an ORM. No string concatenation in SQL statements.
|
||||
|
||||
**Rule:** Zero tolerance for SQL string concatenation with user-controlled values.
|
||||
|
||||
**Test:** Regex scan for SQL keywords adjacent to string concatenation operators (`+`, `concat`, `format`, `f"`, template literals).
|
||||
|
||||
## SEC-003: Authentication Annotations
|
||||
|
||||
All new REST endpoints MUST have an explicit auth annotation. No endpoint may be implicitly public.
|
||||
|
||||
**Rule:** Every `@RequestMapping`, `@GetMapping`, `@PostMapping` (or equivalent) must be accompanied by `@ReltioSecured` or `@PublicEndpoint`. Missing annotation = violation.
|
||||
|
||||
**Test:** AST/regex check that every endpoint method has an auth annotation.
|
||||
|
||||
## SEC-004: Secrets in Code
|
||||
|
||||
No hardcoded secrets, tokens, passwords, or API keys in source code.
|
||||
|
||||
**Rule:** All secrets must come from environment variables, vault, or config service. String literals matching secret patterns are violations.
|
||||
|
||||
**Test:** Regex scan for patterns: API keys, JWT tokens, passwords in string literals, base64-encoded credentials.
|
||||
|
||||
## SEC-005: Dependency Vulnerability
|
||||
|
||||
No new dependencies with known critical/high CVEs.
|
||||
|
||||
**Rule:** Any new dependency added to `pom.xml`, `package.json`, `go.mod`, or equivalent must pass a vulnerability scan.
|
||||
|
||||
**Test:** Run `npm audit` / `mvn dependency-check:check` / `govulncheck` on changed dependency files.
|
||||
Reference in New Issue
Block a user