max/ai-sdlc-standards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a7728c6266b66b7265c15d8743751305fa873566
ai-sdlc-standards/security/requirements.md
Max Mayfield a7728c6266 AI SDLC Standards: cross-cutting requirements mono repo 
- Security: input validation, SQL injection, auth annotations, secrets, CVE checks
- Architecture: API contract first, service boundaries, breaking change protocol
- DevOps: health checks, structured logging, resource limits, rollback safety
- Cost: resource tagging, auto-scaling limits, storage lifecycle
- Deterministic compliance checker (.tests/check.sh)
- Agent skill for context injection (Cursor, OpenSpec, Claude Code examples)
- Demo with intentional violations
2026-03-07 07:31:16 +00:00

2.2 KiB
Raw Blame History

Security Requirements

Phase: implementation Enforcement: informational (graduating to blocking Q3 2026)

SEC-001: Input Validation

All external input (API request bodies, query parameters, headers, file uploads) MUST be validated through a schema validator before processing.

Rule: No raw request body access in business logic. All endpoints must define and validate against a schema (JSON Schema, protobuf, or framework-equivalent).

Test: Grep for direct request.body / req.body / getParameter() usage outside of controller/validation layer.

# Bad
String name = request.getParameter("name");
db.query("SELECT * FROM users WHERE name = '" + name + "'");

# Good
ValidatedInput input = validator.validate(request, CreateUserSchema.class);
userService.create(input);

SEC-002: No Raw SQL

All database queries MUST use parameterized queries or an ORM. No string concatenation in SQL statements.

Rule: Zero tolerance for SQL string concatenation with user-controlled values.

Test: Regex scan for SQL keywords adjacent to string concatenation operators (+, concat, format, f", template literals).

SEC-003: Authentication Annotations

All new REST endpoints MUST have an explicit auth annotation. No endpoint may be implicitly public.

Rule: Every @RequestMapping, @GetMapping, @PostMapping (or equivalent) must be accompanied by @ReltioSecured or @PublicEndpoint. Missing annotation = violation.

Test: AST/regex check that every endpoint method has an auth annotation.

SEC-004: Secrets in Code

No hardcoded secrets, tokens, passwords, or API keys in source code.

Rule: All secrets must come from environment variables, vault, or config service. String literals matching secret patterns are violations.

Test: Regex scan for patterns: API keys, JWT tokens, passwords in string literals, base64-encoded credentials.

SEC-005: Dependency Vulnerability

No new dependencies with known critical/high CVEs.

Rule: Any new dependency added to pom.xml, package.json, go.mod, or equivalent must pass a vulnerability scan.

Test: Run npm audit / mvn dependency-check:check / govulncheck on changed dependency files.

Reference in New Issue View Git Blame Copy Permalink