Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: Bug report
description: Report a bug in Shasta or Whitney
title: "[Bug]: "
labels: ["bug", "triage"]
body:
- type: markdown
attributes:
value: |
Thanks for taking the time to file a bug report. Please fill out the
sections below so we can reproduce and fix the issue quickly.

For **security vulnerabilities**, do not use this form — email
`contact@transilience.ai` per [`SECURITY.md`](../blob/main/SECURITY.md).

- type: dropdown
id: component
attributes:
label: Component
description: Which part of Shasta is affected?
options:
- AWS check module (src/shasta/aws/**)
- Azure check module (src/shasta/azure/**)
- Whitney code scanner (src/whitney/code/**)
- Whitney cloud scanner (src/whitney/cloud/**)
- Compliance framework / scoring
- Remediation templates
- Policy generator
- Dashboard
- Claude Code skill (.claude/skills/**)
- Docs
- CI / build
- Other
validations:
required: true

- type: input
id: affected_module
attributes:
label: Affected module or file
description: If you know it, paste the file path (e.g. `src/shasta/aws/iam.py`).
placeholder: src/shasta/aws/iam.py

- type: textarea
id: description
attributes:
label: Bug description
description: What happened? What did you expect to happen instead?
validations:
required: true

- type: textarea
id: repro
attributes:
label: Steps to reproduce
description: Minimal steps a maintainer can follow.
value: |
1.
2.
3.
validations:
required: true

- type: textarea
id: expected
attributes:
label: Expected behavior
validations:
required: true

- type: textarea
id: actual
attributes:
label: Actual behavior
validations:
required: true

- type: dropdown
id: bug_type
attributes:
label: Bug type
options:
- False positive (check flagged something that is compliant)
- False negative (check missed something that is non-compliant)
- Crash / unhandled exception
- Incorrect output / wrong framework mapping
- Performance regression
- Other
validations:
required: true

- type: textarea
id: environment
attributes:
label: Environment
description: OS, Python version, Shasta version, cloud region / subscription if relevant.
value: |
- OS:
- Python version:
- Shasta version (`pip show shasta | grep Version`):
- AWS region / Azure subscription:
validations:
required: true

- type: textarea
id: logs
attributes:
label: Relevant logs or traceback
description: Paste any error output here. Redact secrets before submitting.
render: shell
11 changes: 11 additions & 0 deletions .github/ISSUE_TEMPLATE/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
blank_issues_enabled: false
contact_links:
- name: Questions and usage help
url: https://github.com/transilienceai/shasta/discussions
about: Please ask usage and setup questions in GitHub Discussions.
- name: Feature ideas discussion
url: https://github.com/transilienceai/shasta/discussions/categories/ideas
about: Discuss ideas before filing a formal feature request.
- name: Security vulnerability
url: mailto:contact@transilience.ai
about: Report security vulnerabilities by email, not in public issues.
66 changes: 66 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: Feature request
description: Propose a new feature, framework mapping, or improvement
title: "[Feature]: "
labels: ["enhancement"]
body:
- type: markdown
attributes:
value: |
Thanks for proposing an improvement. For a **new compliance check
module** specifically, please use the "New check proposal" template
instead — it encodes the engineering principles at intake.

- type: dropdown
id: category
attributes:
label: Category
options:
- New compliance check (use the "New check proposal" template instead)
- New framework mapping (e.g. mapping existing checks to a new control)
- New Terraform remediation template
- New Claude Code skill
- Dashboard / reporting improvement
- Docs improvement
- Developer experience / tooling
- Other
validations:
required: true

- type: textarea
id: problem
attributes:
label: Problem or motivation
description: What is the user problem you are trying to solve? Who benefits?
validations:
required: true

- type: textarea
id: solution
attributes:
label: Proposed solution
description: How would you like this to work?
validations:
required: true

- type: textarea
id: alternatives
attributes:
label: Alternatives considered
description: What other approaches did you think about and why did you reject them?

- type: dropdown
id: contribution
attributes:
label: Contribution willingness
description: Are you interested in submitting a PR for this?
options:
- Yes, I plan to open a PR
- Yes, but I would like guidance first
- No, I am just suggesting
validations:
required: true

- type: textarea
id: context
attributes:
label: Additional context
107 changes: 107 additions & 0 deletions .github/ISSUE_TEMPLATE/new_check_proposal.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
name: New check proposal
description: Propose a new compliance check module (AWS or Azure)
title: "[Check]: "
labels: ["enhancement", "new-check"]
body:
- type: markdown
attributes:
value: |
This template encodes the rules in
[`ENGINEERING_PRINCIPLES.md`](../blob/main/ENGINEERING_PRINCIPLES.md)
at the intake stage. Please fill in every field — the form is
deliberately opinionated so the PR that implements this check has
a clear green path through the integrity tests.

- type: dropdown
id: cloud
attributes:
label: Cloud
options:
- AWS
- Azure
- Both (single check, multi-cloud module)
validations:
required: true

- type: input
id: service
attributes:
label: Service or resource
description: Which service does this check apply to?
placeholder: S3 / Azure Key Vault / RDS / Cosmos DB ...
validations:
required: true

- type: textarea
id: framework_mapping
attributes:
label: Framework mapping
description: |
Which compliance controls does this check satisfy? List ALL that apply.
This enforces Principle 4 (frameworks belong on the `Finding` model).
value: |
- SOC 2 control ID:
- CIS AWS / CIS Azure control:
- ISO 27001 control:
- HIPAA safeguard (if applicable):
- MCSB control (Azure only, if applicable):
validations:
required: true

- type: dropdown
id: detection_approach
attributes:
label: Detection approach
description: How will the check determine compliance?
options:
- SDK listing (list_* / describe_*)
- Resource config lookup (get_*)
- Multi-region walker (AWS)
- Multi-subscription walker (Azure)
- Cross-service walker (see src/shasta/azure/private_endpoints.py for the pattern)
- Other
validations:
required: true

- type: dropdown
id: walker_eligible
attributes:
label: Walker-eligible?
description: |
Would this check duplicate logic across 3+ services? If yes, consider
writing a walker instead of a per-service function (Principle 7).
options:
- "No, this is a single-service check"
- "Yes, it would be redundant per-service — use a walker"
- "Unsure"
validations:
required: true

- type: textarea
id: multi_region
attributes:
label: Multi-region / multi-subscription behavior
description: |
How will this check iterate regions (AWS) or subscriptions (Azure)?
Enforces Principle 3 — single-region / single-subscription is never
the default.
validations:
required: true

- type: textarea
id: false_clean_risk
attributes:
label: False-clean risk
description: |
What happens on API error, missing permission, or empty results?
Enforces Principle 6 — `NOT_ASSESSED` on error, `NOT_APPLICABLE` on
legitimately empty, `FAIL` only on actual non-compliance. Describe
how each case will be handled.
validations:
required: true

- type: textarea
id: references
attributes:
label: References
description: CIS benchmark PDF, vendor docs, CVE, or existing similar check in this repo.
74 changes: 74 additions & 0 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
<!--
Thanks for opening a PR. Please fill out every section — the integrity
workflow in .github/workflows/integrity.yml will reject the PR if any of
the load-bearing principles in CLAUDE.md / ENGINEERING_PRINCIPLES.md are
violated, so checking them here first saves a round trip.
-->

## Summary

<!-- One paragraph: what does this PR change and why? -->

## Related issue

<!-- REQUIRED. PRs without a linked issue should not merge. -->

Closes #

## Changes

<!-- Bullet list of concrete changes. -->

-
-
-

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New compliance check
- [ ] New framework mapping (existing check → new control)
- [ ] New Terraform remediation template
- [ ] New Claude Code skill
- [ ] Refactor (no behavior change)
- [ ] Docs only
- [ ] Tests only
- [ ] CI / build

## Engineering principles checklist

These mirror the 8 load-bearing rules in
[`CLAUDE.md`](../blob/main/CLAUDE.md). Tick each one that applies to this PR.

- [ ] **Doc-vs-code drift considered.** Any numeric claim I added or
changed in `README.md` / `TRUST.md` has a matching test in
`tests/test_integrity/test_doc_claims.py`. (Principle 1)
- [ ] **No stub functions introduced.** Every new `check_* / run_* /
generate_*` function has a real body. (Principle 2)
- [ ] **Multi-region / multi-subscription by default.** New AWS checks
iterate `client.get_enabled_regions()`; new Azure checks iterate
subscriptions via `AzureClient.for_subscription`. (Principle 3)
- [ ] **Framework controls populated on `Finding`.** I did not embed
control IDs in description strings. (Principle 4)
- [ ] **Zero LLM calls in the detection path.** The default scan / scoring
/ mapping path is deterministic. (Principle 5)
- [ ] **`NOT_ASSESSED` vs `NOT_APPLICABLE` vs `FAIL` used correctly.**
Empty results are not conflated with errors. (Principle 6)
- [ ] **Walker pattern considered.** If this PR touches ≥3 similar checks
across services, I evaluated whether a walker would be cleaner.
(Principle 7)
- [ ] **`/audit` slash command run.** Claude Code audit passed on the
staged diff. (pre-commit discipline)

## Tests run locally

- [ ] `pytest tests/test_integrity/` (doc-vs-code drift)
- [ ] `pytest tests/test_aws/test_aws_sweep_smoke.py` (AWS structural)
- [ ] `pytest tests/test_azure/test_smoke.py` (Azure structural)
- [ ] `pytest` (full suite)
- [ ] `ruff check src/ tests/` and `ruff format --check src/ tests/`

## Additional notes

<!-- Anything reviewers should know: migration concerns, follow-up work,
rollout plan, etc. -->
Loading
Loading