Stop tracking generated evidence bundles#166
Closed
DevOpsMadDog wants to merge 2 commits into
Closed
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
40 issues found across 147 files
Prompt for AI agents (all 40 issues)
Understand the root cause of the following 40 issues and fix them.
<file name="tests/APP1/perf_k6.js">
<violation number="1" location="tests/APP1/perf_k6.js:2">
Trend and Rate must be imported from 'k6/metrics'; bringing them in from 'k6' leads to an import error when running the test.</violation>
<violation number="2" location="tests/APP1/perf_k6.js:35">
http.post builds an invalid URL when __ENV.HOST is unset, causing the script to throw before sending any requests.</violation>
</file>
<file name="policy/APP2/security_controls.rego">
<violation number="1" location="policy/APP2/security_controls.rego:5">
The negated check enumerates the routes array independently, so it only fails if no route anywhere has the signatures plugin enabled. As soon as some other route enables the plugin, this rule stops flagging the webhook route even when that specific route lacks HMAC enforcement, creating a security gap.</violation>
<violation number="2" location="policy/APP2/security_controls.rego:30">
This query evaluates the key and source predicates against different elements of the lambda_env array. It produces false violations whenever any other variable comes from a non–Secrets Manager source, even if PARTNER_SECRET is configured correctly.</violation>
</file>
<file name="policy/APP3/security_controls.rego">
<violation number="1" location="policy/APP3/security_controls.rego:5">
These ingress conditions iterate with anonymous indices (`_`), so the host, port, and allow_public checks can bind to different elements. That means the rule can deny even when the admin ingress is private, because it can mix data from unrelated entries. Bind the ingress (and nested rule/path) to named variables and reuse them in each predicate so all checks refer to the same resource.</violation>
<violation number="2" location="policy/APP3/security_controls.rego:13">
Deployments missing runAsNonRoot escape the non-root enforcement.</violation>
</file>
<file name="policy/APP4/security_controls.rego">
<violation number="1" location="policy/APP4/security_controls.rego:6">
This rule never fires because it checks `change.change.after.type` for the Lambda resource type, but Terraform plan entries expose the type on the top-level `resource_changes[*].type`. As written, `change.change.after` only holds resource attributes and lacks that value, so HSM credentials in Lambda env vars slip through.</violation>
<violation number="2" location="policy/APP4/security_controls.rego:14">
The security-group rule check compares `sg.change.after.type` to `aws_security_group_rule`, but that nested field represents the rule direction (e.g., ingress/egress). The resource type lives on the top-level `resource_changes[*].type`, so this condition is never satisfied and public MQTT rules won't be caught.</violation>
</file>
<file name="tests/APP1/chaos_playbooks/broker_failover.md">
<violation number="1" location="tests/APP1/chaos_playbooks/broker_failover.md:6">
The instructions point to a `new-billing` contract replay scenario that is not defined in `tests/APP1/contract_tests/openapi.yaml`, so readers cannot execute the documented workflow as written.</violation>
<violation number="2" location="tests/APP1/chaos_playbooks/broker_failover.md:9">
This step references `scripts/billing_load.sh`, but that script is not present in the repository, so following the playbook will fail.</violation>
</file>
<file name="tests/APP2/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP2/chaos_playbooks/pod_kill.md:5">
The documented delete command adds `--limit=2`, but `kubectl delete` does not support a `--limit` flag, so the chaos experiment will fail before terminating any pods. Please remove the unsupported flag or replace the command with a valid approach to delete only two pods.</violation>
</file>
<file name="tests/APP3/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP3/chaos_playbooks/pod_kill.md:5">
`kubectl delete` does not support `--limit`, so this command will fail. Please remove the unsupported flag or revise the step to delete a bounded subset of pods in a supported way.</violation>
</file>
<file name="artifacts/all_apps_reference.json">
<violation number="1" location="artifacts/all_apps_reference.json:40">
The evidence bundle path should use the CLI’s {tag}.zip naming. With tag APP1 the bundle lands at evidence/bundles/APP1.zip, so pointing to APP1_bundle.zip will break lookups in this manifest.</violation>
<violation number="2" location="artifacts/all_apps_reference.json:89">
This expected_path should match the CLI output evidence/bundles/APP2.zip; using APP2_bundle.zip points to a non-existent file.</violation>
<violation number="3" location="artifacts/all_apps_reference.json:138">
Please align this expected_path with the actual CLI bundle output evidence/bundles/APP3.zip; the _bundle suffix is incorrect.</violation>
<violation number="4" location="artifacts/all_apps_reference.json:187">
Set this expected_path to evidence/bundles/APP4.zip so it matches the CLI bundle output instead of the non-existent APP4_bundle.zip.</violation>
</file>
<file name="tests/APP4/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP4/chaos_playbooks/pod_kill.md:5">
`kubectl delete` does not support the `--limit` flag, so this step errors and prevents engineers from killing only part of the deployment. Replace it with a command that enumerates the specific pods to delete.</violation>
</file>
<file name="tests/APP4/idempotency_tests/audit_logs.yaml">
<violation number="1" location="tests/APP4/idempotency_tests/audit_logs.yaml:17">
Embedding ${log_snapshot} in a single-quoted literal causes SyntaxError when logs contain apostrophes; wrap the JSON in a triple-quoted string instead.</violation>
</file>
<file name="tests/APP1/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP1/chaos_playbooks/pod_kill.md:7">
`kubectl delete` does not have a `--limit` flag, so this instruction fails and the chaos experiment will not delete pods. Please adjust the command to select just three pods without using `--limit`.</violation>
</file>
<file name="policy/APP1/security_controls.rego">
<violation number="1" location="policy/APP1/security_controls.rego:41">
TLS policy rule fails to enforce TLS 1.2+ and allows weaker TLS versions.</violation>
<violation number="2" location="policy/APP1/security_controls.rego:41">
This condition will incorrectly deny secure AWS HTTPS listeners because their protocol value is "HTTPS", which does not start with "TLS". Please allow HTTPS alongside TLS when enforcing the protocol requirement.</violation>
</file>
<file name="tests/APP3/contract_tests/openapi.yaml">
<violation number="1" location="tests/APP3/contract_tests/openapi.yaml:48">
The Patient schema marks `id` as required, but FHIR create calls must omit `id` because the server assigns it. This contract will reject compliant POST /fhir/Patient requests; please drop `id` from the required list.</violation>
</file>
<file name="tests/APP1/idempotency_tests/quote_idempotency.yaml">
<violation number="1" location="tests/APP1/idempotency_tests/quote_idempotency.yaml:10">
The first request needs to send the same Idempotency-Key as the replay, otherwise the server treats them as distinct submissions and the replay expectations (quote_id reuse and X-Idempotent-Replay) will fail.</violation>
</file>
<file name="tests/APP2/partner_simulators/valid_signature.py">
<violation number="1" location="tests/APP2/partner_simulators/valid_signature.py:32">
The printed body is reserialized with default spacing, so the HTTP payload no longer matches the bytes used to compute the HMAC and the signature becomes invalid. Emit the canonical JSON string used during signing instead.</violation>
</file>
<file name="tests/APP3/perf_k6.js">
<violation number="1" location="tests/APP3/perf_k6.js:24">
Performance check incorrectly treats HTTP 400 (invalid search) responses as success, masking real failures.</violation>
</file>
<file name="inputs/APP2/sbom.json">
<violation number="1" location="inputs/APP2/sbom.json:18">
The SBOM entry names the library as "aws-sdk" while the purl targets "@aws-sdk/client-sqs" and uses a version number that only exists for the scoped package, producing an inconsistent component definition.</violation>
</file>
<file name="tests/APP1/chaos_playbooks/network_partition.md">
<violation number="1" location="tests/APP1/chaos_playbooks/network_partition.md:6">
The chaos playbook references `manifests/istio/pricing-db-partition.yaml`, but that manifest path does not exist in the repo, so the documented experiment cannot be executed as written.</violation>
</file>
<file name="artifacts/remediation_prs/APP3_remediation.md">
<violation number="1" location="artifacts/remediation_prs/APP3_remediation.md:6">
This remediation bundle points to services/patient-api/build.gradle.kts, but that file does not exist in this repo, so the documented patch cannot be validated. Please reference the actual module path or update the evidence snippet accordingly.</violation>
<violation number="2" location="artifacts/remediation_prs/APP3_remediation.md:18">
The evidence bundle cites infra/terraform/network.tf, but that path is missing from this repository, so the ingress hardening change cannot be traced. Please correct the file path or supply the accurate evidence location.</violation>
<violation number="3" location="artifacts/remediation_prs/APP3_remediation.md:44">
This remediation record points to services/telemetry/metrics.ts, which does not exist here, so the Cosmos throttling mitigation cannot be substantiated. Please update the snippet to the correct file path or provide the right artifact.</violation>
</file>
<file name="cli-tests/APP1/cli_smoke.sh">
<violation number="1" location="cli-tests/APP1/cli_smoke.sh:12">
Create the artifacts/APP1 directory before redirecting CLI output so the smoke test doesn’t exit when the artifacts tree is cleaned.</violation>
</file>
<file name="tests/APP2/chaos_playbooks/network_partition.md">
<violation number="1" location="tests/APP2/chaos_playbooks/network_partition.md:5">
Returning HTTP 503 here doesn’t simulate a true network partition, so the procedure won’t validate the stated objective. Please have the fault injection drop or time out upstream connections instead so the circuit breaker is exercised correctly.</violation>
</file>
<file name="tests/APP2/chaos_playbooks/disk_full.md">
<violation number="1" location="tests/APP2/chaos_playbooks/disk_full.md:7">
Validating the fallback path with 304 responses is incorrect. After disk eviction the origin should send 200s, so this guidance would cause testers to misread a healthy fallback as failure.</violation>
</file>
<file name="artifacts/APP1/tf_plan.json">
<violation number="1" location="artifacts/APP1/tf_plan.json:9">
Terraform treats storage_encrypted as ForceNew on aws_db_instance, so enabling encryption forces the instance to be replaced. Marking this change as an update misrepresents Terraform’s actual plan (it would be create/delete), making the artifact incorrect.</violation>
</file>
<file name="tests/APP2/perf_k6.js">
<violation number="1" location="tests/APP2/perf_k6.js:34">
GraphQL requests can return HTTP 200 while still including an `errors` array, so this status-only check will let failing operations pass the load test. Please assert that 200 responses do not contain GraphQL errors.</violation>
</file>
<file name="inputs/APP4/sbom.json">
<violation number="1" location="inputs/APP4/sbom.json:15">
The go-chi component should use the Go module version string with the leading "v" (e.g., v5.0.10); otherwise the SBOM points to a non-existent version, breaking dependency resolution.</violation>
<violation number="2" location="inputs/APP4/sbom.json:16">
Use the Go module version string with the "v" prefix (v1.45.0) so the SBOM maps to the actual aws-lambda-go release.</violation>
<violation number="3" location="inputs/APP4/sbom.json:17">
Update the grpc component version to include the required Go module "v" prefix so the SBOM references the real release (v1.62.0).</violation>
</file>
<file name="artifacts/threat_matrices/APP1_threat_matrix.md">
<violation number="1" location="artifacts/threat_matrices/APP1_threat_matrix.md:6">
The validation reference points to tests/APP1/chaos_playbooks/pipeline_supply_chain.md, but that file doesn’t exist in the repo, so readers can’t locate the supporting chaos evidence.</violation>
<violation number="2" location="artifacts/threat_matrices/APP1_threat_matrix.md:8">
The validation reference points to policy/APP1/deny_public_db.rego, but that file isn’t present, so the documented mitigation evidence cannot be located.</violation>
</file>
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| @@ -0,0 +1,44 @@ | |||
| import http from 'k6/http'; | |||
| import { check, sleep, Trend, Rate } from 'k6'; | |||
Contributor
There was a problem hiding this comment.
Trend and Rate must be imported from 'k6/metrics'; bringing them in from 'k6' leads to an import error when running the test.
Prompt for AI agents
Address the following comment on tests/APP1/perf_k6.js at line 2:
<comment>Trend and Rate must be imported from 'k6/metrics'; bringing them in from 'k6' leads to an import error when running the test.</comment>
<file context>
@@ -0,0 +1,44 @@
+import http from 'k6/http';
+import { check, sleep, Trend, Rate } from 'k6';
+
+export let options = {
</file context>
|
|
||
| violation[msg] { | ||
| input.gateway.routes[_].path == "/api/webhooks/{partner}" | ||
| not input.gateway.routes[_].plugins.signatures.enabled |
Contributor
There was a problem hiding this comment.
The negated check enumerates the routes array independently, so it only fails if no route anywhere has the signatures plugin enabled. As soon as some other route enables the plugin, this rule stops flagging the webhook route even when that specific route lacks HMAC enforcement, creating a security gap.
Prompt for AI agents
Address the following comment on policy/APP2/security_controls.rego at line 5:
<comment>The negated check enumerates the routes array independently, so it only fails if no route anywhere has the signatures plugin enabled. As soon as some other route enables the plugin, this rule stops flagging the webhook route even when that specific route lacks HMAC enforcement, creating a security gap.</comment>
<file context>
@@ -0,0 +1,32 @@
+
+violation[msg] {
+ input.gateway.routes[_].path == "/api/webhooks/{partner}"
+ not input.gateway.routes[_].plugins.signatures.enabled
+ msg := "Webhook route must enforce HMAC signature plugin"
+}
</file context>
| deny[msg] { | ||
| some deploy | ||
| deploy := input.kubernetes.deployments[_] | ||
| deploy.spec.template.spec.containers[_].securityContext.runAsNonRoot == false |
Contributor
There was a problem hiding this comment.
Deployments missing runAsNonRoot escape the non-root enforcement.
Prompt for AI agents
Address the following comment on policy/APP3/security_controls.rego at line 13:
<comment>Deployments missing runAsNonRoot escape the non-root enforcement.</comment>
<file context>
@@ -0,0 +1,32 @@
+deny[msg] {
+ some deploy
+ deploy := input.kubernetes.deployments[_]
+ deploy.spec.template.spec.containers[_].securityContext.runAsNonRoot == false
+ msg := sprintf("Deployment %s must run as non-root", [deploy.metadata.name])
+}
</file context>
| deny[msg] { | ||
| some sg | ||
| sg := input.resource_changes[_] | ||
| sg.change.after.type == "aws_security_group_rule" |
Contributor
There was a problem hiding this comment.
The security-group rule check compares sg.change.after.type to aws_security_group_rule, but that nested field represents the rule direction (e.g., ingress/egress). The resource type lives on the top-level resource_changes[*].type, so this condition is never satisfied and public MQTT rules won't be caught.
Prompt for AI agents
Address the following comment on policy/APP4/security_controls.rego at line 14:
<comment>The security-group rule check compares `sg.change.after.type` to `aws_security_group_rule`, but that nested field represents the rule direction (e.g., ingress/egress). The resource type lives on the top-level `resource_changes[*].type`, so this condition is never satisfied and public MQTT rules won't be caught.</comment>
<file context>
@@ -0,0 +1,39 @@
+deny[msg] {
+ some sg
+ sg := input.resource_changes[_]
+ sg.change.after.type == "aws_security_group_rule"
+ sg.change.after.cidr_blocks[_] == "0.0.0.0/0"
+ sg.change.after.to_port == 8883
</file context>
Suggested change
| sg.change.after.type == "aws_security_group_rule" | |
| sg.type == "aws_security_group_rule" |
| deny[msg] { | ||
| some change | ||
| change := input.resource_changes[_] | ||
| change.change.after.type == "aws_lambda_function" |
Contributor
There was a problem hiding this comment.
This rule never fires because it checks change.change.after.type for the Lambda resource type, but Terraform plan entries expose the type on the top-level resource_changes[*].type. As written, change.change.after only holds resource attributes and lacks that value, so HSM credentials in Lambda env vars slip through.
Prompt for AI agents
Address the following comment on policy/APP4/security_controls.rego at line 6:
<comment>This rule never fires because it checks `change.change.after.type` for the Lambda resource type, but Terraform plan entries expose the type on the top-level `resource_changes[*].type`. As written, `change.change.after` only holds resource attributes and lacks that value, so HSM credentials in Lambda env vars slip through.</comment>
<file context>
@@ -0,0 +1,39 @@
+deny[msg] {
+ some change
+ change := input.resource_changes[_]
+ change.change.after.type == "aws_lambda_function"
+ change.change.after.environment.variables.HSM_PASSWORD
+ msg := "Lambda functions cannot store HSM credentials in environment variables"
</file context>
Suggested change
| change.change.after.type == "aws_lambda_function" | |
| change.type == "aws_lambda_function" |
| "components": [ | ||
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, | ||
| {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"}, | ||
| {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"}, |
Contributor
There was a problem hiding this comment.
Update the grpc component version to include the required Go module "v" prefix so the SBOM references the real release (v1.62.0).
Prompt for AI agents
Address the following comment on inputs/APP4/sbom.json at line 17:
<comment>Update the grpc component version to include the required Go module "v" prefix so the SBOM references the real release (v1.62.0).</comment>
<file context>
@@ -0,0 +1,20 @@
+ "components": [
+ {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"},
+ {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"},
+ {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"},
+ {"type": "library", "name": "node", "version": "20.10.0", "purl": "pkg:docker/node@20.10.0"}
+ ]
</file context>
Suggested change
| {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"}, | |
| {"type": "library", "name": "grpc", "version": "v1.62.0", "purl": "pkg:golang/google.golang.org/grpc@v1.62.0"}, |
| }, | ||
| "components": [ | ||
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, | ||
| {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"}, |
Contributor
There was a problem hiding this comment.
Use the Go module version string with the "v" prefix (v1.45.0) so the SBOM maps to the actual aws-lambda-go release.
Prompt for AI agents
Address the following comment on inputs/APP4/sbom.json at line 16:
<comment>Use the Go module version string with the "v" prefix (v1.45.0) so the SBOM maps to the actual aws-lambda-go release.</comment>
<file context>
@@ -0,0 +1,20 @@
+ },
+ "components": [
+ {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"},
+ {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"},
+ {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"},
+ {"type": "library", "name": "node", "version": "20.10.0", "purl": "pkg:docker/node@20.10.0"}
</file context>
Suggested change
| {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"}, | |
| {"type": "library", "name": "aws-lambda-go", "version": "v1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@v1.45.0"}, |
| } | ||
| }, | ||
| "components": [ | ||
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, |
Contributor
There was a problem hiding this comment.
The go-chi component should use the Go module version string with the leading "v" (e.g., v5.0.10); otherwise the SBOM points to a non-existent version, breaking dependency resolution.
Prompt for AI agents
Address the following comment on inputs/APP4/sbom.json at line 15:
<comment>The go-chi component should use the Go module version string with the leading "v" (e.g., v5.0.10); otherwise the SBOM points to a non-existent version, breaking dependency resolution.</comment>
<file context>
@@ -0,0 +1,20 @@
+ }
+ },
+ "components": [
+ {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"},
+ {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"},
+ {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"},
</file context>
Suggested change
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, | |
| {"type": "library", "name": "go-chi", "version": "v5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@v5.0.10"}, |
| | APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` | | ||
| | APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` | | ||
| | APP1-T3 | STRIDE (Repudiation) | Audit Evasion | Remove approval records to hide insider fraud | Abuse admin API to delete audit entries | Write-once audit store, approval workflow ledger | `tests/APP1/idempotency_tests/audit_replay.yaml` | | ||
| | APP1-T4 | STRIDE (Information Disclosure) | PHI Exposure | Exfiltrate policyholder SSNs | Public LoadBalancer on postgres service | Private subnets, service mesh mtls, network policies | `policy/APP1/deny_public_db.rego` | |
Contributor
There was a problem hiding this comment.
The validation reference points to policy/APP1/deny_public_db.rego, but that file isn’t present, so the documented mitigation evidence cannot be located.
Prompt for AI agents
Address the following comment on artifacts/threat_matrices/APP1_threat_matrix.md at line 8:
<comment>The validation reference points to policy/APP1/deny_public_db.rego, but that file isn’t present, so the documented mitigation evidence cannot be located.</comment>
<file context>
@@ -0,0 +1,24 @@
+| APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` |
+| APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` |
+| APP1-T3 | STRIDE (Repudiation) | Audit Evasion | Remove approval records to hide insider fraud | Abuse admin API to delete audit entries | Write-once audit store, approval workflow ledger | `tests/APP1/idempotency_tests/audit_replay.yaml` |
+| APP1-T4 | STRIDE (Information Disclosure) | PHI Exposure | Exfiltrate policyholder SSNs | Public LoadBalancer on postgres service | Private subnets, service mesh mtls, network policies | `policy/APP1/deny_public_db.rego` |
+| APP1-T5 | STRIDE (DoS) | Availability | Disrupt quote generation before renewal deadlines | Botnet API flooding | Global rate-limits, autoscaling, WAF challenge | `tests/APP1/perf_k6.js` |
+| APP1-P1 | LINDDUN (Linkability) | Privacy | Link anonymized claims to individuals | Cross-correlation of analytics exports | Tokenization, aggregated reporting windows | `tests/APP1/contract_tests/openapi.yaml` |
</file context>
| | Threat ID | Framework | Category | Attacker Objective | Attack Vector | Mitigations | Validation | | ||
| |-----------|-----------|----------|--------------------|---------------|------------|-----------| | ||
| | APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` | | ||
| | APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` | |
Contributor
There was a problem hiding this comment.
The validation reference points to tests/APP1/chaos_playbooks/pipeline_supply_chain.md, but that file doesn’t exist in the repo, so readers can’t locate the supporting chaos evidence.
Prompt for AI agents
Address the following comment on artifacts/threat_matrices/APP1_threat_matrix.md at line 6:
<comment>The validation reference points to tests/APP1/chaos_playbooks/pipeline_supply_chain.md, but that file doesn’t exist in the repo, so readers can’t locate the supporting chaos evidence.</comment>
<file context>
@@ -0,0 +1,24 @@
+| Threat ID | Framework | Category | Attacker Objective | Attack Vector | Mitigations | Validation |
+|-----------|-----------|----------|--------------------|---------------|------------|-----------|
+| APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` |
+| APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` |
+| APP1-T3 | STRIDE (Repudiation) | Audit Evasion | Remove approval records to hide insider fraud | Abuse admin API to delete audit entries | Write-once audit store, approval workflow ledger | `tests/APP1/idempotency_tests/audit_replay.yaml` |
+| APP1-T4 | STRIDE (Information Disclosure) | PHI Exposure | Exfiltrate policyholder SSNs | Public LoadBalancer on postgres service | Private subnets, service mesh mtls, network policies | `policy/APP1/deny_public_db.rego` |
</file context>
Contributor
There was a problem hiding this comment.
40 issues found across 147 files
Prompt for AI agents (all 40 issues)
Understand the root cause of the following 40 issues and fix them.
<file name="tests/APP1/perf_k6.js">
<violation number="1" location="tests/APP1/perf_k6.js:2">
Trend and Rate must be imported from 'k6/metrics'; bringing them in from 'k6' leads to an import error when running the test.</violation>
<violation number="2" location="tests/APP1/perf_k6.js:35">
http.post builds an invalid URL when __ENV.HOST is unset, causing the script to throw before sending any requests.</violation>
</file>
<file name="policy/APP2/security_controls.rego">
<violation number="1" location="policy/APP2/security_controls.rego:5">
The negated check enumerates the routes array independently, so it only fails if no route anywhere has the signatures plugin enabled. As soon as some other route enables the plugin, this rule stops flagging the webhook route even when that specific route lacks HMAC enforcement, creating a security gap.</violation>
<violation number="2" location="policy/APP2/security_controls.rego:30">
This query evaluates the key and source predicates against different elements of the lambda_env array. It produces false violations whenever any other variable comes from a non–Secrets Manager source, even if PARTNER_SECRET is configured correctly.</violation>
</file>
<file name="policy/APP3/security_controls.rego">
<violation number="1" location="policy/APP3/security_controls.rego:5">
These ingress conditions iterate with anonymous indices (`_`), so the host, port, and allow_public checks can bind to different elements. That means the rule can deny even when the admin ingress is private, because it can mix data from unrelated entries. Bind the ingress (and nested rule/path) to named variables and reuse them in each predicate so all checks refer to the same resource.</violation>
<violation number="2" location="policy/APP3/security_controls.rego:13">
Deployments missing runAsNonRoot escape the non-root enforcement.</violation>
</file>
<file name="policy/APP4/security_controls.rego">
<violation number="1" location="policy/APP4/security_controls.rego:6">
This rule never fires because it checks `change.change.after.type` for the Lambda resource type, but Terraform plan entries expose the type on the top-level `resource_changes[*].type`. As written, `change.change.after` only holds resource attributes and lacks that value, so HSM credentials in Lambda env vars slip through.</violation>
<violation number="2" location="policy/APP4/security_controls.rego:14">
The security-group rule check compares `sg.change.after.type` to `aws_security_group_rule`, but that nested field represents the rule direction (e.g., ingress/egress). The resource type lives on the top-level `resource_changes[*].type`, so this condition is never satisfied and public MQTT rules won't be caught.</violation>
</file>
<file name="tests/APP1/chaos_playbooks/broker_failover.md">
<violation number="1" location="tests/APP1/chaos_playbooks/broker_failover.md:6">
The instructions point to a `new-billing` contract replay scenario that is not defined in `tests/APP1/contract_tests/openapi.yaml`, so readers cannot execute the documented workflow as written.</violation>
<violation number="2" location="tests/APP1/chaos_playbooks/broker_failover.md:9">
This step references `scripts/billing_load.sh`, but that script is not present in the repository, so following the playbook will fail.</violation>
</file>
<file name="tests/APP2/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP2/chaos_playbooks/pod_kill.md:5">
The documented delete command adds `--limit=2`, but `kubectl delete` does not support a `--limit` flag, so the chaos experiment will fail before terminating any pods. Please remove the unsupported flag or replace the command with a valid approach to delete only two pods.</violation>
</file>
<file name="tests/APP3/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP3/chaos_playbooks/pod_kill.md:5">
`kubectl delete` does not support `--limit`, so this command will fail. Please remove the unsupported flag or revise the step to delete a bounded subset of pods in a supported way.</violation>
</file>
<file name="artifacts/all_apps_reference.json">
<violation number="1" location="artifacts/all_apps_reference.json:40">
The evidence bundle path should use the CLI’s {tag}.zip naming. With tag APP1 the bundle lands at evidence/bundles/APP1.zip, so pointing to APP1_bundle.zip will break lookups in this manifest.</violation>
<violation number="2" location="artifacts/all_apps_reference.json:89">
This expected_path should match the CLI output evidence/bundles/APP2.zip; using APP2_bundle.zip points to a non-existent file.</violation>
<violation number="3" location="artifacts/all_apps_reference.json:138">
Please align this expected_path with the actual CLI bundle output evidence/bundles/APP3.zip; the _bundle suffix is incorrect.</violation>
<violation number="4" location="artifacts/all_apps_reference.json:187">
Set this expected_path to evidence/bundles/APP4.zip so it matches the CLI bundle output instead of the non-existent APP4_bundle.zip.</violation>
</file>
<file name="tests/APP4/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP4/chaos_playbooks/pod_kill.md:5">
`kubectl delete` does not support the `--limit` flag, so this step errors and prevents engineers from killing only part of the deployment. Replace it with a command that enumerates the specific pods to delete.</violation>
</file>
<file name="tests/APP4/idempotency_tests/audit_logs.yaml">
<violation number="1" location="tests/APP4/idempotency_tests/audit_logs.yaml:17">
Embedding ${log_snapshot} in a single-quoted literal causes SyntaxError when logs contain apostrophes; wrap the JSON in a triple-quoted string instead.</violation>
</file>
<file name="tests/APP1/chaos_playbooks/pod_kill.md">
<violation number="1" location="tests/APP1/chaos_playbooks/pod_kill.md:7">
`kubectl delete` does not have a `--limit` flag, so this instruction fails and the chaos experiment will not delete pods. Please adjust the command to select just three pods without using `--limit`.</violation>
</file>
<file name="policy/APP1/security_controls.rego">
<violation number="1" location="policy/APP1/security_controls.rego:41">
TLS policy rule fails to enforce TLS 1.2+ and allows weaker TLS versions.</violation>
<violation number="2" location="policy/APP1/security_controls.rego:41">
This condition will incorrectly deny secure AWS HTTPS listeners because their protocol value is "HTTPS", which does not start with "TLS". Please allow HTTPS alongside TLS when enforcing the protocol requirement.</violation>
</file>
<file name="tests/APP3/contract_tests/openapi.yaml">
<violation number="1" location="tests/APP3/contract_tests/openapi.yaml:48">
The Patient schema marks `id` as required, but FHIR create calls must omit `id` because the server assigns it. This contract will reject compliant POST /fhir/Patient requests; please drop `id` from the required list.</violation>
</file>
<file name="tests/APP1/idempotency_tests/quote_idempotency.yaml">
<violation number="1" location="tests/APP1/idempotency_tests/quote_idempotency.yaml:10">
The first request needs to send the same Idempotency-Key as the replay, otherwise the server treats them as distinct submissions and the replay expectations (quote_id reuse and X-Idempotent-Replay) will fail.</violation>
</file>
<file name="tests/APP2/partner_simulators/valid_signature.py">
<violation number="1" location="tests/APP2/partner_simulators/valid_signature.py:32">
The printed body is reserialized with default spacing, so the HTTP payload no longer matches the bytes used to compute the HMAC and the signature becomes invalid. Emit the canonical JSON string used during signing instead.</violation>
</file>
<file name="tests/APP3/perf_k6.js">
<violation number="1" location="tests/APP3/perf_k6.js:24">
Performance check incorrectly treats HTTP 400 (invalid search) responses as success, masking real failures.</violation>
</file>
<file name="inputs/APP2/sbom.json">
<violation number="1" location="inputs/APP2/sbom.json:18">
The SBOM entry names the library as "aws-sdk" while the purl targets "@aws-sdk/client-sqs" and uses a version number that only exists for the scoped package, producing an inconsistent component definition.</violation>
</file>
<file name="tests/APP1/chaos_playbooks/network_partition.md">
<violation number="1" location="tests/APP1/chaos_playbooks/network_partition.md:6">
The chaos playbook references `manifests/istio/pricing-db-partition.yaml`, but that manifest path does not exist in the repo, so the documented experiment cannot be executed as written.</violation>
</file>
<file name="artifacts/remediation_prs/APP3_remediation.md">
<violation number="1" location="artifacts/remediation_prs/APP3_remediation.md:6">
This remediation bundle points to services/patient-api/build.gradle.kts, but that file does not exist in this repo, so the documented patch cannot be validated. Please reference the actual module path or update the evidence snippet accordingly.</violation>
<violation number="2" location="artifacts/remediation_prs/APP3_remediation.md:18">
The evidence bundle cites infra/terraform/network.tf, but that path is missing from this repository, so the ingress hardening change cannot be traced. Please correct the file path or supply the accurate evidence location.</violation>
<violation number="3" location="artifacts/remediation_prs/APP3_remediation.md:44">
This remediation record points to services/telemetry/metrics.ts, which does not exist here, so the Cosmos throttling mitigation cannot be substantiated. Please update the snippet to the correct file path or provide the right artifact.</violation>
</file>
<file name="cli-tests/APP1/cli_smoke.sh">
<violation number="1" location="cli-tests/APP1/cli_smoke.sh:12">
Create the artifacts/APP1 directory before redirecting CLI output so the smoke test doesn’t exit when the artifacts tree is cleaned.</violation>
</file>
<file name="tests/APP2/chaos_playbooks/network_partition.md">
<violation number="1" location="tests/APP2/chaos_playbooks/network_partition.md:5">
Returning HTTP 503 here doesn’t simulate a true network partition, so the procedure won’t validate the stated objective. Please have the fault injection drop or time out upstream connections instead so the circuit breaker is exercised correctly.</violation>
</file>
<file name="tests/APP2/chaos_playbooks/disk_full.md">
<violation number="1" location="tests/APP2/chaos_playbooks/disk_full.md:7">
Validating the fallback path with 304 responses is incorrect. After disk eviction the origin should send 200s, so this guidance would cause testers to misread a healthy fallback as failure.</violation>
</file>
<file name="artifacts/APP1/tf_plan.json">
<violation number="1" location="artifacts/APP1/tf_plan.json:9">
Terraform treats storage_encrypted as ForceNew on aws_db_instance, so enabling encryption forces the instance to be replaced. Marking this change as an update misrepresents Terraform’s actual plan (it would be create/delete), making the artifact incorrect.</violation>
</file>
<file name="tests/APP2/perf_k6.js">
<violation number="1" location="tests/APP2/perf_k6.js:34">
GraphQL requests can return HTTP 200 while still including an `errors` array, so this status-only check will let failing operations pass the load test. Please assert that 200 responses do not contain GraphQL errors.</violation>
</file>
<file name="inputs/APP4/sbom.json">
<violation number="1" location="inputs/APP4/sbom.json:15">
The go-chi component should use the Go module version string with the leading "v" (e.g., v5.0.10); otherwise the SBOM points to a non-existent version, breaking dependency resolution.</violation>
<violation number="2" location="inputs/APP4/sbom.json:16">
Use the Go module version string with the "v" prefix (v1.45.0) so the SBOM maps to the actual aws-lambda-go release.</violation>
<violation number="3" location="inputs/APP4/sbom.json:17">
Update the grpc component version to include the required Go module "v" prefix so the SBOM references the real release (v1.62.0).</violation>
</file>
<file name="artifacts/threat_matrices/APP1_threat_matrix.md">
<violation number="1" location="artifacts/threat_matrices/APP1_threat_matrix.md:6">
The validation reference points to tests/APP1/chaos_playbooks/pipeline_supply_chain.md, but that file doesn’t exist in the repo, so readers can’t locate the supporting chaos evidence.</violation>
<violation number="2" location="artifacts/threat_matrices/APP1_threat_matrix.md:8">
The validation reference points to policy/APP1/deny_public_db.rego, but that file isn’t present, so the documented mitigation evidence cannot be located.</violation>
</file>
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| @@ -0,0 +1,44 @@ | |||
| import http from 'k6/http'; | |||
| import { check, sleep, Trend, Rate } from 'k6'; | |||
Contributor
There was a problem hiding this comment.
Trend and Rate must be imported from 'k6/metrics'; bringing them in from 'k6' leads to an import error when running the test.
Prompt for AI agents
Address the following comment on tests/APP1/perf_k6.js at line 2:
<comment>Trend and Rate must be imported from 'k6/metrics'; bringing them in from 'k6' leads to an import error when running the test.</comment>
<file context>
@@ -0,0 +1,44 @@
+import http from 'k6/http';
+import { check, sleep, Trend, Rate } from 'k6';
+
+export let options = {
</file context>
|
|
||
| violation[msg] { | ||
| input.gateway.routes[_].path == "/api/webhooks/{partner}" | ||
| not input.gateway.routes[_].plugins.signatures.enabled |
Contributor
There was a problem hiding this comment.
The negated check enumerates the routes array independently, so it only fails if no route anywhere has the signatures plugin enabled. As soon as some other route enables the plugin, this rule stops flagging the webhook route even when that specific route lacks HMAC enforcement, creating a security gap.
Prompt for AI agents
Address the following comment on policy/APP2/security_controls.rego at line 5:
<comment>The negated check enumerates the routes array independently, so it only fails if no route anywhere has the signatures plugin enabled. As soon as some other route enables the plugin, this rule stops flagging the webhook route even when that specific route lacks HMAC enforcement, creating a security gap.</comment>
<file context>
@@ -0,0 +1,32 @@
+
+violation[msg] {
+ input.gateway.routes[_].path == "/api/webhooks/{partner}"
+ not input.gateway.routes[_].plugins.signatures.enabled
+ msg := "Webhook route must enforce HMAC signature plugin"
+}
</file context>
| deny[msg] { | ||
| some deploy | ||
| deploy := input.kubernetes.deployments[_] | ||
| deploy.spec.template.spec.containers[_].securityContext.runAsNonRoot == false |
Contributor
There was a problem hiding this comment.
Deployments missing runAsNonRoot escape the non-root enforcement.
Prompt for AI agents
Address the following comment on policy/APP3/security_controls.rego at line 13:
<comment>Deployments missing runAsNonRoot escape the non-root enforcement.</comment>
<file context>
@@ -0,0 +1,32 @@
+deny[msg] {
+ some deploy
+ deploy := input.kubernetes.deployments[_]
+ deploy.spec.template.spec.containers[_].securityContext.runAsNonRoot == false
+ msg := sprintf("Deployment %s must run as non-root", [deploy.metadata.name])
+}
</file context>
| deny[msg] { | ||
| some sg | ||
| sg := input.resource_changes[_] | ||
| sg.change.after.type == "aws_security_group_rule" |
Contributor
There was a problem hiding this comment.
The security-group rule check compares sg.change.after.type to aws_security_group_rule, but that nested field represents the rule direction (e.g., ingress/egress). The resource type lives on the top-level resource_changes[*].type, so this condition is never satisfied and public MQTT rules won't be caught.
Prompt for AI agents
Address the following comment on policy/APP4/security_controls.rego at line 14:
<comment>The security-group rule check compares `sg.change.after.type` to `aws_security_group_rule`, but that nested field represents the rule direction (e.g., ingress/egress). The resource type lives on the top-level `resource_changes[*].type`, so this condition is never satisfied and public MQTT rules won't be caught.</comment>
<file context>
@@ -0,0 +1,39 @@
+deny[msg] {
+ some sg
+ sg := input.resource_changes[_]
+ sg.change.after.type == "aws_security_group_rule"
+ sg.change.after.cidr_blocks[_] == "0.0.0.0/0"
+ sg.change.after.to_port == 8883
</file context>
Suggested change
| sg.change.after.type == "aws_security_group_rule" | |
| sg.type == "aws_security_group_rule" |
| deny[msg] { | ||
| some change | ||
| change := input.resource_changes[_] | ||
| change.change.after.type == "aws_lambda_function" |
Contributor
There was a problem hiding this comment.
This rule never fires because it checks change.change.after.type for the Lambda resource type, but Terraform plan entries expose the type on the top-level resource_changes[*].type. As written, change.change.after only holds resource attributes and lacks that value, so HSM credentials in Lambda env vars slip through.
Prompt for AI agents
Address the following comment on policy/APP4/security_controls.rego at line 6:
<comment>This rule never fires because it checks `change.change.after.type` for the Lambda resource type, but Terraform plan entries expose the type on the top-level `resource_changes[*].type`. As written, `change.change.after` only holds resource attributes and lacks that value, so HSM credentials in Lambda env vars slip through.</comment>
<file context>
@@ -0,0 +1,39 @@
+deny[msg] {
+ some change
+ change := input.resource_changes[_]
+ change.change.after.type == "aws_lambda_function"
+ change.change.after.environment.variables.HSM_PASSWORD
+ msg := "Lambda functions cannot store HSM credentials in environment variables"
</file context>
Suggested change
| change.change.after.type == "aws_lambda_function" | |
| change.type == "aws_lambda_function" |
| "components": [ | ||
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, | ||
| {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"}, | ||
| {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"}, |
Contributor
There was a problem hiding this comment.
Update the grpc component version to include the required Go module "v" prefix so the SBOM references the real release (v1.62.0).
Prompt for AI agents
Address the following comment on inputs/APP4/sbom.json at line 17:
<comment>Update the grpc component version to include the required Go module "v" prefix so the SBOM references the real release (v1.62.0).</comment>
<file context>
@@ -0,0 +1,20 @@
+ "components": [
+ {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"},
+ {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"},
+ {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"},
+ {"type": "library", "name": "node", "version": "20.10.0", "purl": "pkg:docker/node@20.10.0"}
+ ]
</file context>
Suggested change
| {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"}, | |
| {"type": "library", "name": "grpc", "version": "v1.62.0", "purl": "pkg:golang/google.golang.org/grpc@v1.62.0"}, |
| }, | ||
| "components": [ | ||
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, | ||
| {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"}, |
Contributor
There was a problem hiding this comment.
Use the Go module version string with the "v" prefix (v1.45.0) so the SBOM maps to the actual aws-lambda-go release.
Prompt for AI agents
Address the following comment on inputs/APP4/sbom.json at line 16:
<comment>Use the Go module version string with the "v" prefix (v1.45.0) so the SBOM maps to the actual aws-lambda-go release.</comment>
<file context>
@@ -0,0 +1,20 @@
+ },
+ "components": [
+ {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"},
+ {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"},
+ {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"},
+ {"type": "library", "name": "node", "version": "20.10.0", "purl": "pkg:docker/node@20.10.0"}
</file context>
Suggested change
| {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"}, | |
| {"type": "library", "name": "aws-lambda-go", "version": "v1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@v1.45.0"}, |
| } | ||
| }, | ||
| "components": [ | ||
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, |
Contributor
There was a problem hiding this comment.
The go-chi component should use the Go module version string with the leading "v" (e.g., v5.0.10); otherwise the SBOM points to a non-existent version, breaking dependency resolution.
Prompt for AI agents
Address the following comment on inputs/APP4/sbom.json at line 15:
<comment>The go-chi component should use the Go module version string with the leading "v" (e.g., v5.0.10); otherwise the SBOM points to a non-existent version, breaking dependency resolution.</comment>
<file context>
@@ -0,0 +1,20 @@
+ }
+ },
+ "components": [
+ {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"},
+ {"type": "library", "name": "aws-lambda-go", "version": "1.45.0", "purl": "pkg:golang/github.com/aws/aws-lambda-go@1.45.0"},
+ {"type": "library", "name": "grpc", "version": "1.62.0", "purl": "pkg:golang/google.golang.org/grpc@1.62.0"},
</file context>
Suggested change
| {"type": "library", "name": "go-chi", "version": "5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@5.0.10"}, | |
| {"type": "library", "name": "go-chi", "version": "v5.0.10", "purl": "pkg:golang/github.com/go-chi/chi@v5.0.10"}, |
| | APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` | | ||
| | APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` | | ||
| | APP1-T3 | STRIDE (Repudiation) | Audit Evasion | Remove approval records to hide insider fraud | Abuse admin API to delete audit entries | Write-once audit store, approval workflow ledger | `tests/APP1/idempotency_tests/audit_replay.yaml` | | ||
| | APP1-T4 | STRIDE (Information Disclosure) | PHI Exposure | Exfiltrate policyholder SSNs | Public LoadBalancer on postgres service | Private subnets, service mesh mtls, network policies | `policy/APP1/deny_public_db.rego` | |
Contributor
There was a problem hiding this comment.
The validation reference points to policy/APP1/deny_public_db.rego, but that file isn’t present, so the documented mitigation evidence cannot be located.
Prompt for AI agents
Address the following comment on artifacts/threat_matrices/APP1_threat_matrix.md at line 8:
<comment>The validation reference points to policy/APP1/deny_public_db.rego, but that file isn’t present, so the documented mitigation evidence cannot be located.</comment>
<file context>
@@ -0,0 +1,24 @@
+| APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` |
+| APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` |
+| APP1-T3 | STRIDE (Repudiation) | Audit Evasion | Remove approval records to hide insider fraud | Abuse admin API to delete audit entries | Write-once audit store, approval workflow ledger | `tests/APP1/idempotency_tests/audit_replay.yaml` |
+| APP1-T4 | STRIDE (Information Disclosure) | PHI Exposure | Exfiltrate policyholder SSNs | Public LoadBalancer on postgres service | Private subnets, service mesh mtls, network policies | `policy/APP1/deny_public_db.rego` |
+| APP1-T5 | STRIDE (DoS) | Availability | Disrupt quote generation before renewal deadlines | Botnet API flooding | Global rate-limits, autoscaling, WAF challenge | `tests/APP1/perf_k6.js` |
+| APP1-P1 | LINDDUN (Linkability) | Privacy | Link anonymized claims to individuals | Cross-correlation of analytics exports | Tokenization, aggregated reporting windows | `tests/APP1/contract_tests/openapi.yaml` |
</file context>
| | Threat ID | Framework | Category | Attacker Objective | Attack Vector | Mitigations | Validation | | ||
| |-----------|-----------|----------|--------------------|---------------|------------|-----------| | ||
| | APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` | | ||
| | APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` | |
Contributor
There was a problem hiding this comment.
The validation reference points to tests/APP1/chaos_playbooks/pipeline_supply_chain.md, but that file doesn’t exist in the repo, so readers can’t locate the supporting chaos evidence.
Prompt for AI agents
Address the following comment on artifacts/threat_matrices/APP1_threat_matrix.md at line 6:
<comment>The validation reference points to tests/APP1/chaos_playbooks/pipeline_supply_chain.md, but that file doesn’t exist in the repo, so readers can’t locate the supporting chaos evidence.</comment>
<file context>
@@ -0,0 +1,24 @@
+| Threat ID | Framework | Category | Attacker Objective | Attack Vector | Mitigations | Validation |
+|-----------|-----------|----------|--------------------|---------------|------------|-----------|
+| APP1-T1 | STRIDE (Spoofing) | Identity Abuse | Steal competitor quotes by impersonating brokers | Credential stuffing via leaked broker emails | Enforce MFA, rate-limit login, anomaly detection | `tests/APP1/authz_tests/matrix.csv` |
+| APP1-T2 | STRIDE (Tampering) | Code Integrity | Manipulate pricing model to offer fraudulent discounts | Supply chain compromise of pricing container image | Signed builds, admission controller, provenance attestation | `tests/APP1/chaos_playbooks/pipeline_supply_chain.md` |
+| APP1-T3 | STRIDE (Repudiation) | Audit Evasion | Remove approval records to hide insider fraud | Abuse admin API to delete audit entries | Write-once audit store, approval workflow ledger | `tests/APP1/idempotency_tests/audit_replay.yaml` |
+| APP1-T4 | STRIDE (Information Disclosure) | PHI Exposure | Exfiltrate policyholder SSNs | Public LoadBalancer on postgres service | Private subnets, service mesh mtls, network policies | `policy/APP1/deny_public_db.rego` |
</file context>
Contributor
|
Closing as part of PR consolidation. Useful changes have been cherry-picked into PR #240. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
evidence/README.mdand point the consolidated manifest at CLI-produced bundle pathscli.fixops_ci evidence bundleinstead of manually zipping artifactsTesting
https://chatgpt.com/codex/tasks/task_e_690897bb6df88329af11776800fd3d46
Summary by cubic
Stop tracking generated evidence bundle archives and switch to on-demand generation via the FixOps CLI. This keeps PRs binary-free while preserving reproducible evidence with simple local commands.
Refactors
Migration
Written for commit 69d2e63. Summary will update automatically on new commits.