From ed52fa9b056b37b8d7a81c2b7ccd9d40214c5959 Mon Sep 17 00:00:00 2001
From: Bart Zantingh <162321204+bartzantingh@users.noreply.github.com>
Date: Mon, 2 Feb 2026 15:11:09 +0100
Subject: [PATCH] Add 001_0007 and 001_0008

001_0007 checks which hash algorithm is selected (should be either BCrypt or SSHA256)
001_0008 checks whether 'Check security' is true for all user roles
---
 .../001_0007_hash_algorithm.rego              | 39 +++++++++++++++++++
 .../001_0007_hash_algorithm_test.rego         | 36 +++++++++++++++++
 ...001_0008_check_security_on_user_roles.rego | 37 ++++++++++++++++++
 ...008_check_security_on_user_roles_test.rego | 24 ++++++++++++
 4 files changed, 136 insertions(+)
 create mode 100644 rules/001_project_settings/001_0007_hash_algorithm.rego
 create mode 100644 rules/001_project_settings/001_0007_hash_algorithm_test.rego
 create mode 100644 rules/001_project_settings/001_0008_check_security_on_user_roles.rego
 create mode 100644 rules/001_project_settings/001_0008_check_security_on_user_roles_test.rego

diff --git a/rules/001_project_settings/001_0007_hash_algorithm.rego b/rules/001_project_settings/001_0007_hash_algorithm.rego
new file mode 100644
index 0000000..080eb91
--- /dev/null
+++ b/rules/001_project_settings/001_0007_hash_algorithm.rego
@@ -0,0 +1,39 @@
+# METADATA
+# scope: package
+# title: Hash algorithm
+# description: Hashs algorithms BCrypt and SSHA256 are considered to be the safest for data encryption.
+# authors:
+# - Bart Zantingh <bart.zantingh@nl.abnamro.com>
+# related_resources:
+# - https://docs.mendix.com/refguide/security#hashing-algorithms
+# custom:
+#  category: Security
+#  rulename: HashAlgorithm
+#  severity: HIGH
+#  rulenumber: "001_0007"
+#  remediation: Set the app's hash algorithm (App Settings > Runtime) to BCrypt or SSHA256.
+#  input: "Settings$ProjectSettings.yaml"
+package app.mendix.project_settings.hash_algorithm
+
+import rego.v1
+
+annotation := rego.metadata.chain()[1].annotations
+
+default allow := false
+
+allow if count(errors) == 0
+
+errors contains error if {
+	not input.Settings.HashAlgorithm == "BCrypt"
+	not input.Settings.HashAlgorithm == "SSHA256"
+
+	error := sprintf(
+		"[%v, %v, %v] The application uses the %v hash algorithm, which is not recommended",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			input.Settings.HashAlgorithm,
+		],
+	)
+}
diff --git a/rules/001_project_settings/001_0007_hash_algorithm_test.rego b/rules/001_project_settings/001_0007_hash_algorithm_test.rego
new file mode 100644
index 0000000..5c2ed2f
--- /dev/null
+++ b/rules/001_project_settings/001_0007_hash_algorithm_test.rego
@@ -0,0 +1,36 @@
+package app.mendix.project_settings.hash_algorithm_test
+
+import data.app.mendix.project_settings.hash_algorithm
+import rego.v1
+
+# Test data
+bcrypt := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "BCrypt",
+}}
+
+ssha256 := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "SSHA256",
+}}
+
+sha256 := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "SHA256",
+}}
+
+md5 := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "MD5",
+}}
+
+# Test cases
+test_should_allow_when_build_version_in_allowed_list if {
+	hash_algorithm.allow with input as bcrypt
+	hash_algorithm.allow with input as ssha256
+}
+
+test_should_deny_when_build_version_not_in_allowed_list if {
+	not hash_algorithm.allow with input as sha256
+	not hash_algorithm.allow with input as md5
+}
diff --git a/rules/001_project_settings/001_0008_check_security_on_user_roles.rego b/rules/001_project_settings/001_0008_check_security_on_user_roles.rego
new file mode 100644
index 0000000..93bc4c4
--- /dev/null
+++ b/rules/001_project_settings/001_0008_check_security_on_user_roles.rego
@@ -0,0 +1,37 @@
+# METADATA
+# scope: package
+# title: Check security on user roles
+# description: Security should be checked for each user role, to make sure users can only access the minimum amount of data
+# authors:
+# - Bart Zantingh <bart.zantingh@nl.abnamro.com>
+# custom:
+#  category: Security
+#  rulename: CheckSecurityOnUserRoles
+#  severity: HIGH
+#  rulenumber: "001_0008"
+#  remediation: Check security for all user roles
+#  input: "Security$ProjectSecurity.yaml"
+package app.mendix.project_settings.check_security_on_user_roles
+
+import rego.v1
+
+annotation := rego.metadata.chain()[1].annotations
+
+default allow := false
+
+allow if count(errors) == 0
+
+errors contains error if {
+	some user_role in input.UserRoles
+	not user_role.CheckSecurity
+
+	error := sprintf(
+		"[%v, %v, %v] User role %v is not checked for security",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			user_role.Name,
+		],
+	)
+}
diff --git a/rules/001_project_settings/001_0008_check_security_on_user_roles_test.rego b/rules/001_project_settings/001_0008_check_security_on_user_roles_test.rego
new file mode 100644
index 0000000..ca72a4f
--- /dev/null
+++ b/rules/001_project_settings/001_0008_check_security_on_user_roles_test.rego
@@ -0,0 +1,24 @@
+package app.mendix.project_settings.check_security_on_user_roles_test
+
+import data.app.mendix.project_settings.check_security_on_user_roles
+import rego.v1
+
+# Test data
+check_for_security := {"UserRoles": [{
+	"CheckSecurity": true,
+	"Name": "Administrator",
+}]}
+
+not_check_for_security := {"UserRoles": [{
+	"CheckSecurity": false,
+	"Name": "Administrator",
+}]}
+
+# Test cases
+test_should_allow_when_checking_user_roles_for_security if {
+	check_security_on_user_roles.allow with input as check_for_security
+}
+
+test_should_deny_when_not_checking_user_roles_for_security if {
+	not check_security_on_user_roles.allow with input as not_check_for_security
+}