libverify-core 0.5.0

Platform-agnostic SDLC verification engine — evidence model, controls, assessment
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

use crate::control::{Control, ControlFinding, ControlId, builtin};
use crate::evidence::EvidenceBundle;

/// Validates that secret scanning push protection is enabled.
///
/// Maps to PCI DSS Req 3.5.1, NIST SI-7, SOC2 CC6.1 / CC6.6.
/// Push protection actively blocks credential commits at push time,
/// going beyond detection-only secret scanning.
///
/// Requires secret scanning to be enabled as a prerequisite.
pub struct SecretScanningPushProtectionControl;

impl Control for SecretScanningPushProtectionControl {
    fn id(&self) -> ControlId {
        builtin::id(builtin::SECRET_SCANNING_PUSH_PROTECTION)
    }

    fn description(&self) -> &'static str {
        "Secret scanning push protection must be enabled to block credential commits"
    }

    fn evaluate(&self, evidence: &EvidenceBundle) -> Vec<ControlFinding> {
        let posture = match ControlFinding::extract_posture(self.id(), evidence) {
            Ok(p) => p,
            Err(findings) => return findings,
        };

        if !posture.security_analysis_available {
            return vec![ControlFinding::indeterminate(
                self.id(),
                "Cannot determine push protection status — API token may lack sufficient permissions",
                vec!["repository".into()],
                vec![],
            )];
        }

        if !posture.secret_scanning_enabled {
            return vec![ControlFinding::violated(
                self.id(),
                "Secret scanning is not enabled — push protection requires secret scanning",
                vec!["repository".into()],
            )];
        }

        if posture.secret_push_protection_enabled {
            vec![ControlFinding::satisfied(
                self.id(),
                "Secret scanning push protection is enabled — credential commits are blocked",
                vec!["repository:secret-scanning:push-protection".into()],
            )]
        } else {
            vec![ControlFinding::violated(
                self.id(),
                "Secret scanning push protection is not enabled — credentials can be pushed to the repository",
                vec!["repository:secret-scanning:push-protection".into()],
            )]
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::control::ControlStatus;
    use crate::evidence::{EvidenceGap, EvidenceState, RepositoryPosture};

    fn posture(secret_scanning: bool, push_protection: bool) -> RepositoryPosture {
        RepositoryPosture {
            security_analysis_available: true,
            secret_scanning_enabled: secret_scanning,
            secret_push_protection_enabled: push_protection,
            ..Default::default()
        }
    }

    fn bundle(state: EvidenceState<RepositoryPosture>) -> EvidenceBundle {
        EvidenceBundle {
            repository_posture: state,
            ..Default::default()
        }
    }

    #[test]
    fn indeterminate_when_security_analysis_unavailable() {
        let findings = SecretScanningPushProtectionControl.evaluate(&bundle(
            EvidenceState::complete(RepositoryPosture {
                security_analysis_available: false,
                ..Default::default()
            }),
        ));
        assert_eq!(findings[0].status, ControlStatus::Indeterminate);
        assert!(findings[0].rationale.contains("permissions"));
    }

    #[test]
    fn not_applicable_when_posture_not_applicable() {
        let findings =
            SecretScanningPushProtectionControl.evaluate(&bundle(EvidenceState::not_applicable()));
        assert_eq!(findings[0].status, ControlStatus::NotApplicable);
    }

    #[test]
    fn indeterminate_when_posture_missing() {
        let findings =
            SecretScanningPushProtectionControl.evaluate(&bundle(EvidenceState::missing(vec![
                EvidenceGap::CollectionFailed {
                    source: "github".to_string(),
                    subject: "posture".to_string(),
                    detail: "API error".to_string(),
                },
            ])));
        assert_eq!(findings[0].status, ControlStatus::Indeterminate);
    }

    #[test]
    fn satisfied_when_push_protection_enabled() {
        let findings = SecretScanningPushProtectionControl
            .evaluate(&bundle(EvidenceState::complete(posture(true, true))));
        assert_eq!(findings[0].status, ControlStatus::Satisfied);
        assert!(findings[0].rationale.contains("push protection is enabled"));
    }

    #[test]
    fn violated_when_push_protection_disabled() {
        let findings = SecretScanningPushProtectionControl
            .evaluate(&bundle(EvidenceState::complete(posture(true, false))));
        assert_eq!(findings[0].status, ControlStatus::Violated);
        assert!(
            findings[0]
                .rationale
                .contains("push protection is not enabled")
        );
    }

    #[test]
    fn violated_when_secret_scanning_disabled() {
        let findings = SecretScanningPushProtectionControl
            .evaluate(&bundle(EvidenceState::complete(posture(false, false))));
        assert_eq!(findings[0].status, ControlStatus::Violated);
        assert!(
            findings[0]
                .rationale
                .contains("Secret scanning is not enabled")
        );
    }
}