37a867c485
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
84 lines
2.8 KiB
Python
84 lines
2.8 KiB
Python
from __future__ import annotations
|
|
|
|
from dataclasses import dataclass
|
|
from typing import Dict, List, Optional
|
|
|
|
|
|
@dataclass
|
|
class FrameworkMapping:
|
|
"""
|
|
Mapping between a WAF concept (e.g. 'SQLi protection') and references
|
|
in one or more compliance frameworks.
|
|
"""
|
|
|
|
control_id: str
|
|
framework: str # e.g. "PCI-DSS", "NIST-800-53", "GDPR"
|
|
description: str
|
|
references: List[str]
|
|
|
|
|
|
class ComplianceMapper:
|
|
"""
|
|
Map WAF rules / violations to compliance frameworks.
|
|
|
|
This starts as a simple static lookup table that we can extend over time.
|
|
"""
|
|
|
|
def __init__(self) -> None:
|
|
self._mappings: Dict[str, List[FrameworkMapping]] = self._build_default_mappings()
|
|
|
|
def _build_default_mappings(self) -> Dict[str, List[FrameworkMapping]]:
|
|
return {
|
|
"sqli_protection": [
|
|
FrameworkMapping(
|
|
control_id="6.6",
|
|
framework="PCI-DSS",
|
|
description="Ensure web-facing applications are protected against attacks such as SQL injection.",
|
|
references=["PCI-DSS v4.0 6.6", "OWASP Top 10 - A03:2021"],
|
|
)
|
|
],
|
|
"xss_protection": [
|
|
FrameworkMapping(
|
|
control_id="A5",
|
|
framework="OWASP-ASVS",
|
|
description="Verify that all user-controllable input is properly encoded or escaped.",
|
|
references=["OWASP Top 10 - A3: Cross-Site Scripting"],
|
|
)
|
|
],
|
|
"baseline_waf": [
|
|
FrameworkMapping(
|
|
control_id="13",
|
|
framework="OWASP-ASVS",
|
|
description="Centralized input validation, filtering, and WAF as compensating control.",
|
|
references=["OWASP-ASVS 13", "PCI-DSS 6.4.1"],
|
|
)
|
|
],
|
|
}
|
|
|
|
def map_concept(self, concept: str) -> List[FrameworkMapping]:
|
|
"""
|
|
Map a high-level WAF concept to compliance controls.
|
|
|
|
Example concepts:
|
|
- "sqli_protection"
|
|
- "xss_protection"
|
|
- "baseline_waf"
|
|
"""
|
|
return self._mappings.get(concept, [])
|
|
|
|
def best_effort_from_violation(self, message: str) -> List[FrameworkMapping]:
|
|
"""
|
|
Try to infer framework mappings from a violation message string.
|
|
This allows the analyzer to stay dumb while still attaching controls.
|
|
"""
|
|
msg = message.lower()
|
|
|
|
if "sql" in msg and "inject" in msg:
|
|
return self.map_concept("sqli_protection")
|
|
if "xss" in msg or "cross-site scripting" in msg:
|
|
return self.map_concept("xss_protection")
|
|
if "waf" in msg or "managed rules" in msg:
|
|
return self.map_concept("baseline_waf")
|
|
|
|
return []
|