feat: policy subcommand + documentation overhaul + USECASES#30
Merged
Conversation
…BUTING and RELEASES - Fix duplicate domain in clone URL: github.com/github.com -> github.com - Replace bare 'go build -o wardex .' with 'make build' for consistency - Update release checklist to use 'make build' instead of 'go build' - Align upload path with Makefile output: ./bin/wardex
- internal/policy/schema.go: DomainFile -> Control -> Exception structs Status type with O(1) validation via map[Status]bool (compliant | partial | non_compliant | not_applicable) - internal/policy/loader.go: LoadDomain (single file) and LoadFramework (glob) with schema-only validation separated from business logic Errors always include the offending file path for debuggability
Three subcommands wired as cmd/policy/policy.go (package policy, PolicyCmd exported):
- wardex policy validate <dir>: CI gate — fails if any YAML breaks schema
- wardex policy list <dir>: tabwriter table with ID/title/status/owner/date
- wardex policy add --file --id --title --status [--owner] [--note]:
upsert by ID, creates file if it does not exist, writes with 0o600 perms
Flags --file, --id, --title are required; status defaults to non_compliant.
Example domain file for ISO 27001 Annex A.8 (Technological Controls). Demonstrates the full schema: status vocabulary, evidence_refs, exceptions with expiry and approved_by. Serves as a template for the 3 remaining ISO 27001 domains (organizational A.5, people A.6, physical A.7).
Complete, executable use cases for all major Wardex capabilities: 1. Compliance Gap Analysis baseline (wardex without --gate) 2. Release Gate BLOCK — CVSS 9.1 + EPSS 0.84 => risk 2.8 > appetite 2.0 3. Release Gate ALLOW — same CVE, WAF+segmentation+runtime => risk 0.9 4. Missing EPSS fail-close flow and wardex enrich epss HITL workflow 5. Formal risk acceptance with wardex accept request/verify 6. Multi-framework reporting: ISO 27001 / NIS 2 / DORA / SOC 2 7. Same CVE Log4Shell across 4 org profiles (14.2 bank vs 0.3 dev sandbox) 8. wardex policy validate/list/add workflow with pre-commit guidance 9. Snapshot delta: maturity evidence between audits (Jan->Mar) 10. Full Grype -> convert -> enrich -> gate CI/CD pipeline in GitHub Actions Each scenario includes: copy-paste inputs, internal risk calculation, expected output, exit codes, and a 'What to learn' paragraph explaining the design intent.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR delivers three related improvements that together make Wardex significantly more approachable and production-ready:
1. Documentation Alignment (
fix(docs))Resolved long-standing mismatches between the README instructions and the actual codebase:
go build -o wardex .→make buildso the binary lands inbin/wardexas the usage examples expect--profile=minha-equipaflag from the 'Como Usar' example (caused RBAC error on first run)github.com/github.com/...→github.com/...)make buildoutput2.
wardex policySubcommand (feat)New governance-as-code capability for managing compliance control state in versioned YAML files:
Subcommands:
wardex policy validate <dir>wardex policy list <dir>wardex policy add --file --id --title --statusVerified:
make build && ./bin/wardex policy validate frameworks/iso27001/ && ./bin/wardex policy list frameworks/iso27001/exits 0.3.
doc/USECASES.md— 10 Didactic Scenarios (docs)Complete executable use cases documenting every major Wardex capability:
--gate)wardex enrich epssHITL workflowwardex accept request/verifywardex policyvalidate/list/add with pre-commit suggestionEach scenario includes copy-paste inputs, step-by-step risk calculation, expected output, exit codes, and a 'What to learn' rationale.
Testing
make build ./bin/wardex --config=test/testdata/wardex-config.yaml \ --gate=test/testdata/vulnerabilities.yaml \ test/testdata/dummy_controls.yaml ./bin/wardex policy validate frameworks/iso27001/ ./bin/wardex policy list frameworks/iso27001/All exit 0.