# Tracking: Sentinel build-out — audit rules, CI concerns, project hygiene Umbrella tracking issue for Sentinel's core build-out. PRs reference this with `Refs #<this-issue>`; tasks are checked off as their PRs merge. ## Audit rules - [x] `s3-public-access` — flag S3 buckets granting access to AllUsers - [x] `s3-no-encryption` — flag S3 buckets without server-side encryption - [x] `iam-no-mfa` — flag IAM users without MFA enabled - [ ] `ec2-public-ingress` — flag security groups with 0.0.0.0/0 ingress - [ ] `iam-stale-keys` — flag access keys older than a threshold ## CI concerns (six jobs) - [x] `lint` — static analysis (ruff, actionlint, yamllint, markdownlint) - [x] `unit-test` — pytest, per-rule unit coverage - [ ] `integration-test` — rules exercised against mocked AWS (moto / LocalStack) - [ ] `e2e-test` — full scan against a fixture account - [ ] `security` — secret scan (gitleaks ✅), dependency audit (pip-audit), SAST (bandit) - [ ] `build` — container image (multi-stage, non-root, pinned base) ## Repository configuration - [x] Dependabot (`uv` + `github-actions`, weekly) - [x] Branch protection: PR required, signed commits, required status checks - [ ] Confirm intended linear-history setting on `main` ruleset ## Documentation - [x] ADR-0001 — merge strategy - [ ] Update `README.md` status section to reflect current rules and CI - [ ] `CONTRIBUTING.md` - [ ] `SECURITY.md` - [ ] `.github/ISSUE_TEMPLATE/` (bug, feature) - [ ] `.github/PULL_REQUEST_TEMPLATE.md` - [ ] `ARCHITECTURE.md` — once service structure is meaningful
Tracking: Sentinel build-out — audit rules, CI concerns, project hygiene
Umbrella tracking issue for Sentinel's core build-out. PRs reference this with
Refs #<this-issue>; tasks are checked off as their PRs merge.Audit rules
s3-public-access— flag S3 buckets granting access to AllUserss3-no-encryption— flag S3 buckets without server-side encryptioniam-no-mfa— flag IAM users without MFA enabledec2-public-ingress— flag security groups with 0.0.0.0/0 ingressiam-stale-keys— flag access keys older than a thresholdCI concerns (six jobs)
lint— static analysis (ruff, actionlint, yamllint, markdownlint)unit-test— pytest, per-rule unit coverageintegration-test— rules exercised against mocked AWS (moto / LocalStack)e2e-test— full scan against a fixture accountsecurity— secret scan (gitleaks ✅), dependency audit (pip-audit), SAST (bandit)build— container image (multi-stage, non-root, pinned base)Repository configuration
uv+github-actions, weekly)mainrulesetDocumentation
README.mdstatus section to reflect current rules and CICONTRIBUTING.mdSECURITY.md.github/ISSUE_TEMPLATE/(bug, feature).github/PULL_REQUEST_TEMPLATE.mdARCHITECTURE.md— once service structure is meaningful