Skip to content

Auto-PR: security(anythingllm): CIS hardening play + encrypted-at-rest data volume (Phase A)#92

Merged
ncimino merged 1 commit into
mainfrom
feature/nik-cis-hardening-data-volume
Jul 15, 2026
Merged

Auto-PR: security(anythingllm): CIS hardening play + encrypted-at-rest data volume (Phase A)#92
ncimino merged 1 commit into
mainfrom
feature/nik-cis-hardening-data-volume

Conversation

@weown-bot

Copy link
Copy Markdown
Contributor

🤖 Automated Pull Request — authored by weown-bot (ecosystem service account)

Opened by: @ncimino
Last pushed by: @ncimino
Branch: feature/nik-cis-hardening-data-volumemain

Contributors on this branch:


📋 Human Review Checklist — NIST CSF 2.0 Functions

Review per the 6 NIST CSF Functions. Frameworks referenced: NIST CSF 2.0, CIS Controls v8 IG1, CSA CCM v4, ISO/IEC 27001:2022, SOC 2, ISO/IEC 42001:2023. See docs/COMPLIANCE_ROADMAP.md.

🏛️ Govern (GV)

  • CODEOWNERS correct for affected paths (.github/CODEOWNERS)
  • ADR required/updated if an architectural decision is introduced
  • Policy impact considered and documented
  • All Copilot AI review comments addressed or explicitly deferred with rationale

🔍 Identify (ID)

  • New assets inventoried (Helm values, container images, dependencies)
  • SBOM regenerated if dependencies changed
  • Risk register / threat model touched if threat surface changed (.github/SECURITY_ASSESSMENT.md)

🛡️ Protect (PR)

  • Least privilege: RBAC, ServiceAccounts, scoped PATs (NIST PR.AC, CIS 5/6, ISO A.5.15-A.5.18)
  • Secrets managed via Infisical (never --from-literal, never /tmp, always $(mktemp) — ISO A.8.24)
  • NetworkPolicy present for new deployments (NIST PR.AC-5, CIS 12, CSA IVS)
  • TLS 1.3 with strong cipher suites where applicable (NIST PR.DS-1, CIS 3)
  • Container security: non-root UID 1000+, Pod Security restricted (NIST PR.IP, CIS 4)

🕵️ Detect (DE)

  • Logs / metrics added for new components (NIST DE.CM, CIS 8/13)
  • Alert rules updated if thresholds change
  • Health checks (livenessProbe + readinessProbe) configured

🚨 Respond (RS)

  • Runbook updated if operational behavior changes (.github/INCIDENT_RESPONSE.md)
  • Incident response impact considered (escalation paths, on-call)

♻️ Recover (RC)

  • Backup strategy covers new persistent data (NIST RC.RP, CIS 11, ISO A.8.13)
  • Rollback procedure tested or documented
  • DR impact assessed for new critical components

📚 Documentation & Versioning

  • Relevant CHANGELOG.md updated (per-directory or repo-level /CHANGELOG.md)
  • #WeOwnVer version bumped per docs/VERSIONING_WEOWNVER.md
  • READMEs / ADRs / inline comments updated

📝 Recent Commits (full bodies for Copilot context)

d695e0d security(anythingllm): CIS hardening play + encrypted-at-rest data volume (Phase A)

Author: Nik
Date: Wed Jul 15 15:37:33 2026 -0600

Ports Phase A of the SOP-INFRA-012 baseline to customer instances:

  • ansible/harden.yml: devsec os_hardening + ssh_hardening (~CIS Ubuntu L1)
    with the Docker-safe ip_forward=1 task-var override; Lynis measurement;
    Docker-survival check. Root key-only SSH kept deliberately (fleet tooling
    is root@) - Phase B (ops-user, root-off) tracked for pre-first-customer.
  • ansible/requirements.yml: devsec.hardening collection.
  • terraform: digitalocean_volume (default 50GB, prevent_destroy,
    data_volume_size_gb var, 0 disables) - DO block storage is encrypted at
    rest, droplet local disk is not.
  • cloud-init setup-data-volume.sh: waits out the attach race, formats/mounts,
    points Docker data-root + backups dir at the encrypted volume before
    Docker installs.
  • copier var, tfvars example, compliance-table rows, CHANGELOG.

Verified: rendered harden.yml passes ansible-playbook --syntax-check;
setup-data-volume.sh bash -n clean; rendered main.tf parses (tofu fmt).



🔍 Copilot AI Review: Copilot is configured to auto-request review for bot-authored PRs. If an auto-created PR opens without an initial Copilot review, push a follow-up commit to the same open PR (review_on_push: true) to trigger review automatically.

👥 Required Reviewers: human approval enforced by branch protection + CODEOWNERS. @ncimino requested automatically.

📚 Review Guidelines: .github/copilot-instructions.md (phase-aware compliance directives)

🛠️ Workflow Operations: .github/workflows/README.md

Auto-generated by .github/workflows/auto-pr-to-main.yml

…lume (Phase A)

Ports Phase A of the SOP-INFRA-012 baseline to customer instances:

- ansible/harden.yml: devsec os_hardening + ssh_hardening (~CIS Ubuntu L1)
  with the Docker-safe ip_forward=1 task-var override; Lynis measurement;
  Docker-survival check. Root key-only SSH kept deliberately (fleet tooling
  is root@) - Phase B (ops-user, root-off) tracked for pre-first-customer.
- ansible/requirements.yml: devsec.hardening collection.
- terraform: digitalocean_volume (default 50GB, prevent_destroy,
  data_volume_size_gb var, 0 disables) - DO block storage is encrypted at
  rest, droplet local disk is not.
- cloud-init setup-data-volume.sh: waits out the attach race, formats/mounts,
  points Docker data-root + backups dir at the encrypted volume before
  Docker installs.
- copier var, tfvars example, compliance-table rows, CHANGELOG.

Verified: rendered harden.yml passes ansible-playbook --syntax-check;
setup-data-volume.sh bash -n clean; rendered main.tf parses (tofu fmt).
@weown-bot weown-bot requested a review from ncimino as a code owner July 15, 2026 22:13
@weown-bot weown-bot requested review from Copilot and removed request for Copilot July 15, 2026 22:13
@ncimino ncimino merged commit 6b5567a into main Jul 15, 2026
18 of 19 checks passed
@ncimino ncimino deleted the feature/nik-cis-hardening-data-volume branch July 15, 2026 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants