Add compliance annotations docs and example NetworkAssertions#314
Add compliance annotations docs and example NetworkAssertions#314
Conversation
- New docs page: compliance-annotations.md covering netchecks.io/controls, netchecks.io/description, and netchecks.io/severity annotations - Three example NetworkAssertions in operator/examples/compliance/: - PCI-DSS v4.0 CDE isolation (egress + ingress) - SOC 2 boundary protection (web-to-db tier) - CIS K8s Benchmark default-deny enforcement - Architecture guide updated with compliance reporting section - Navigation sidebar updated to include Compliance Annotations page
Add a product/landing page for netchecks-compliance at /docs/compliance-reporting with pricing, frameworks, and quick start. Link from annotations and architecture docs to docs site pages instead of private GitHub repo.
Deploying netchecks-docs with
|
| Latest commit: |
aa6890e
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://a7381b14.netchecks-docs.pages.dev |
| Branch Preview URL: | https://feat-compliance-annotations.netchecks-docs.pages.dev |
Pull Request Test Coverage Report for Build 22621756059Details
💛 - Coveralls |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: baf13c40c3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| type: http | ||
| url: http://postgres.database:5432 | ||
| expected: fail |
There was a problem hiding this comment.
This rule uses type: http against postgres.database:5432 with expected: fail, but PostgreSQL is not an HTTP service, so the HTTP check will error regardless of network policy and be counted as a pass after the expected: fail inversion. Given the default HTTP validation requires a 200/201 response, this probe cannot distinguish "blocked" from "reachable but non-HTTP," which can produce false compliance evidence for DB isolation.
Useful? React with 👍 / 👎.
| type: http | ||
| url: http://redis.cache:6379 | ||
| expected: pass |
There was a problem hiding this comment.
The web-to-cache-allowed rule expects success but probes redis.cache:6379 with type: http; Redis does not speak HTTP, so this request will fail protocol validation instead of returning a 200/201 and the rule will report fail even when connectivity is correct. As written, this creates a built-in false negative in the example assertion.
Useful? React with 👍 / 👎.
2 participants
Summary
netchecks.io/controls,netchecks.io/description,netchecks.io/severity) that enable mapping active network tests to compliance framework controlsChanges
docs/src/pages/docs/compliance-annotations.md— new docs page covering annotation usage, supported frameworks/controls, mapping logic, and report generationoperator/examples/compliance/pci-dss-cde-isolation.yaml— PCI-DSS v4.0 CDE isolation (egress + ingress assertions)operator/examples/compliance/soc2-boundary-protection.yaml— SOC 2 boundary protection (web-to-db tier)operator/examples/compliance/cis-default-deny.yaml— CIS Benchmark default-deny enforcementdocs/src/pages/docs/architecture-guide.md— added compliance reporting sectiondocs/src/components/Layout.jsx— added nav linkTest plan