diff --git a/.github/workflows/security-methodology-check.yml b/.github/workflows/security-methodology-check.yml index d245d83..1171c11 100644 --- a/.github/workflows/security-methodology-check.yml +++ b/.github/workflows/security-methodology-check.yml @@ -19,3 +19,6 @@ jobs: - name: Run methodology structure check run: bash scripts/check-security-methodology.sh + + - name: Run requirement traceability check + run: bash scripts/check-requirement-traceability.sh diff --git a/README.md b/README.md index 5779f89..6c293df 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,14 @@ Secure-AI-Flow separates the AI delivery process into four roles. verify-methodology.sh ``` +## Automated Methodology Checks + +The repository includes automated checks for: + +- Structure validation with `scripts/check-security-methodology.sh`. +- Methodology verification with `scripts/verify-methodology.sh`. +- Requirement traceability validation with `scripts/check-requirement-traceability.sh`. + ## How to Use This Methodology ### Step 1: Fill Governance First diff --git a/scripts/check-requirement-traceability.sh b/scripts/check-requirement-traceability.sh new file mode 100755 index 0000000..f71bf36 --- /dev/null +++ b/scripts/check-requirement-traceability.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +set -euo pipefail + +python3 - <<'PY' +from pathlib import Path +import re +import sys + +requirements_path = Path("context/06-security-requirements.md") +specs_dir = Path("specs") +valid_id_pattern = re.compile(r"^[A-Z][A-Z0-9]+-[0-9]{3}$") +source_id_pattern = re.compile(r"\b[A-Z][A-Z0-9]+-\d{3}\b") + +valid_ids = set(source_id_pattern.findall(requirements_path.read_text(encoding="utf-8"))) + +errors = [] +for spec_path in sorted(specs_dir.glob("*.md")): + lines = spec_path.read_text(encoding="utf-8").splitlines() + in_security_requirements = False + + for line_number, line in enumerate(lines, start=1): + if line.startswith("## "): + in_security_requirements = line.strip() == "## Security Requirements" + continue + + if not in_security_requirements: + continue + + stripped = line.strip() + if not stripped or not stripped.startswith("-"): + continue + + bullet = stripped[1:].strip() + if bullet == "": + continue + + first_token = bullet.split()[0] + if not valid_id_pattern.fullmatch(first_token): + issue = "malformed ID" if ("-" in first_token or any(c.isdigit() for c in first_token)) else "missing ID" + value = first_token if issue == "malformed ID" else bullet + errors.append((spec_path, line_number, value, issue)) + continue + + if first_token not in valid_ids: + errors.append((spec_path, line_number, first_token, "unknown ID")) + +if errors: + for spec_path, line_number, value, issue in errors: + print("Invalid security requirement ID reference:", file=sys.stderr) + print(f" file: {spec_path}", file=sys.stderr) + print(f" line: {line_number}", file=sys.stderr) + print(f" issue: {issue}", file=sys.stderr) + print(f" value: {value}", file=sys.stderr) + print(f" valid IDs source: {requirements_path}", file=sys.stderr) + sys.exit(1) + +print("Requirement traceability check passed.") +PY diff --git a/scripts/check-security-methodology.sh b/scripts/check-security-methodology.sh index 5f973e1..9b0a96f 100755 --- a/scripts/check-security-methodology.sh +++ b/scripts/check-security-methodology.sh @@ -28,6 +28,7 @@ required_files=( "specs/001-secure-file-upload.md" "ci/security-gates.md" ".github/pull_request_template.md" + "scripts/check-requirement-traceability.sh" ) missing=0 diff --git a/scripts/verify-methodology.sh b/scripts/verify-methodology.sh index 747ef30..5d82d6b 100755 --- a/scripts/verify-methodology.sh +++ b/scripts/verify-methodology.sh @@ -26,6 +26,7 @@ required=( "context/15-security-stress-test-matrix.md" "ci/security-gates.md" "references/official-source-map.md" + "scripts/check-requirement-traceability.sh" ) missing=0 @@ -45,4 +46,6 @@ grep -q "Data" context/02-data-classification-and-privacy.md grep -q "Threat" context/04-threat-model.md grep -q "Reviewer" context/13-reviewer-playbook.md +bash scripts/check-requirement-traceability.sh + echo "Secure-AI-Flow methodology structure verified."