CtrlK
BlogDocsLog inGet started
Tessl Logo

nitinjain999/platform-skills

Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.

67

Quality

84%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

compliance-validate.shexamples/compliance/

#!/usr/bin/env bash
# Offline validator for examples/compliance/
# Run from the repository root: bash examples/compliance/compliance-validate.sh
# Requires: bash. checkov used when available.

set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
COMP_DIR="$ROOT_DIR/examples/compliance"

ERRORS=0
pass() { echo "  PASS: $1"; }
fail() { echo "  FAIL: $1"; ERRORS=$((ERRORS + 1)); }

echo ""
echo "=== Compliance example structure ==="

EXPECTED_DIRS=(
  "iam"
  "logging"
  "network"
  "encryption-data-services"
  "vulnerability"
  "detection"
  "incident-response"
  "backup"
)

for d in "${EXPECTED_DIRS[@]}"; do
  if [ -d "$COMP_DIR/$d" ]; then
    pass "$d/ directory exists"
  else
    fail "$d/ directory missing — expected SOC 2 control domain"
  fi
done

if [ -f "$COMP_DIR/checkov-config.yaml" ]; then
  pass "checkov-config.yaml exists"
else
  fail "checkov-config.yaml missing"
fi

echo ""
echo "=== SOC 2 control patterns ==="

# CC6.7 — encryption at rest: KMS rotation must be enabled
if grep -rq "enable_key_rotation" "$COMP_DIR/"; then
  pass "enable_key_rotation found (CC6.7 — KMS key rotation)"
else
  fail "enable_key_rotation not found — KMS keys must have rotation enabled (CC6.7)"
fi

# CC7.2 — audit logging: CloudTrail must be multi-region with log validation
if grep -rq "is_multi_region_trail" "$COMP_DIR/"; then
  pass "is_multi_region_trail found (CC7.2 — multi-region CloudTrail)"
else
  fail "is_multi_region_trail not found in compliance examples (CC7.2)"
fi

if grep -rq "enable_log_file_validation" "$COMP_DIR/"; then
  pass "enable_log_file_validation found (CC7.2 — CloudTrail log integrity)"
else
  fail "enable_log_file_validation not found (CC7.2)"
fi

# CC7.1 — threat detection: GuardDuty must be enabled
if grep -rq "aws_guardduty_detector" "$COMP_DIR/"; then
  pass "aws_guardduty_detector found (CC7.1 — GuardDuty)"
else
  fail "aws_guardduty_detector not found — GuardDuty must be enabled (CC7.1)"
fi

# A1.2 — backup retention: AWS Backup lifecycle or RDS backup retention must be set
if grep -rq --include="*.tf" "min_retention_days\|backup_retention_period\|delete_after" "$COMP_DIR/"; then
  pass "backup retention configuration found (A1.2 — backup retention)"
else
  fail "no backup retention configuration found (A1.2) — add AWS Backup lifecycle or RDS backup_retention_period"
fi

# A1.2 — deletion protection: vault lock or DB deletion_protection must be enabled
if grep -rq --include="*.tf" "aws_backup_vault_lock_configuration\|deletion_protection.*=.*true" "$COMP_DIR/"; then
  pass "deletion protection found (A1.2 — backup vault lock or DB deletion protection)"
else
  fail "no deletion protection found (A1.2) — add aws_backup_vault_lock_configuration or deletion_protection = true"
fi

echo ""
echo "=== Anti-patterns (must not exist) ==="

# Must NOT have publicly_accessible = true
if grep -rq --include="*.tf" "publicly_accessible.*=.*true" "$COMP_DIR/"; then
  fail "publicly_accessible = true found in compliance examples — databases must not be publicly accessible"
else
  pass "No publicly_accessible = true"
fi

# Must NOT have encrypted = false
if grep -rq --include="*.tf" "encrypted.*=.*false" "$COMP_DIR/"; then
  fail "encrypted = false found — all storage resources must be encrypted"
else
  pass "No encrypted = false"
fi

# Must NOT skip final snapshots on databases
if grep -rq --include="*.tf" "skip_final_snapshot.*=.*true" "$COMP_DIR/"; then
  fail "skip_final_snapshot = true found — production databases must take a final snapshot"
else
  pass "No skip_final_snapshot = true"
fi

echo ""
echo "=== Terraform syntax (if terraform available) ==="

if command -v terraform >/dev/null 2>&1; then
  echo "  INFO: terraform found — running fmt check on compliance examples"
  while IFS= read -r dir; do
    if terraform fmt -check "$dir" >/dev/null 2>&1; then
      pass "terraform fmt: $(basename "$dir")"
    else
      fail "terraform fmt failed: $dir — run 'terraform fmt $dir'"
    fi
  done < <(find "$COMP_DIR" -name "*.tf" -exec dirname {} \; | sort -u)
else
  echo "  INFO: terraform not found — skipping fmt check"
fi

echo ""
echo "=== checkov (if available) ==="

if command -v checkov >/dev/null 2>&1; then
  echo "  INFO: checkov found — running on compliance examples"
  if checkov -d "$COMP_DIR" --config-file "$COMP_DIR/checkov-config.yaml" --quiet >/dev/null 2>&1; then
    pass "checkov passed"
  else
    echo "  WARN: checkov found issues — run 'checkov -d examples/compliance' to review"
  fi
else
  echo "  INFO: checkov not found — skipping (install: pip install checkov)"
fi

echo ""

if [ "$ERRORS" -gt 0 ]; then
  echo "FAIL: $ERRORS validation error(s)"
  exit 1
fi
echo "PASS: all compliance example checks passed"

examples

compliance

compliance-validate.sh

README.md

BEFORE_AFTER.md

CHANGELOG.md

CODE_OF_CONDUCT.md

COMMANDS.md

CONTRIBUTING.md

EDITOR_INTEGRATIONS.md

GETTING_STARTED.md

HOW_IT_WORKS.md

install.sh

INSTALLATION.md

LAUNCH.md

PROMPTS.md

QUICKSTART.md

README.md

renovate.json

SECURITY.md

SKILL.md

tessl.json

tile.json