GRC OBSERVABILITY
2 REPOS
CMPL54% NIST67% AI SYS2 THREATS5 LEAKS0
AI INVENTORY →
← REPOS
shipstuff/joeeftekhari.com main · b22bb1a · 2D AGO
  • MACHINE-READABLE
  • JSON (full state)
  • SARIF (code scanning)
  • OSCAL (assessment)
  • CSV
  • NIST CSF controls
  • EU AI Act articles
  • Risk register
  • Vulnerabilities
COMPLIANCE
94%
█████████████ 94%
NIST CSF 2.0
89%
████████████░░ 89%
EU AI ACT
83%
████████████░░ 83%

NIST CSF 2.0 // 89% COMPLIANT

NIST ██████████████████████░░░ 89%
GOVERN
GOV ████████████░░░░ 75%
1P 1A 0F
IDENTIFY
IDE ███████████████ 92%
5P 1A 0F
PROTECT
PRO █████████████░░░ 83%
5P 0A 1F
DETECT
DET ████████████████ 100%
1P 0A 0F
RESPOND
RES ████████████████ 100%
2P 0A 0F
RECOVER
REC ████████████████ 100%
1P 0A 0F

CONTROL DETAILS

IDCONTROLSTATUSSOC 2ISO 27001
GV.PO-01Governance and security policy documents exist[OK] PASSCC1.1, CC1.2, CC5.3A.5.1
GV.SC-01Third-party dependencies and services are inventoried and tracked[!!] PARTIALCC9.2A.5.19, A.5.20, A.5.21, A.5.22
ID.AM-01Infrastructure hosting is documented[OK] PASSCC6.1A.5.9
ID.AM-02Dependencies and third-party services are tracked[OK] PASSCC6.1A.5.9, A.8.19
ID.RA-01Dependency vulnerabilities are scanned[!!] PARTIALCC3.2, CC7.1A.8.8
ID.RA-02Known vulnerability databases are checked (npm audit, GitHub Advisory Database)[OK] PASSCC3.2A.5.6
ID.RA-08Vulnerability disclosure process + security contact published[OK] PASSCC7.3A.5.24, A.6.8
ID.IM-02Automated scanning runs on code changes[OK] PASSCC4.1, CC8.1A.8.8
PR.AA-01No secrets/credentials in source code[OK] PASSCC6.1, CC6.2A.5.16, A.5.17
PR.AA-05Branch protection and code review requirements[OK] PASSCC6.1, CC6.3A.5.15, A.8.3
PR.DS-01Data collection points are documented with retention policies[XX] FAILCC6.1, CC6.7A.5.10, A.8.24
PR.DS-02HTTPS enforced with valid certificate and HSTS[OK] PASSCC6.1, CC6.7A.8.24, A.8.20
PR.DS-10Security headers mitigate in-browser data leakage and tampering[OK] PASSCC6.1A.8.20, A.8.22, A.8.23
PR.PS-01Security configuration baseline is documented and scannable[OK] PASSCC7.1, CC8.1A.8.9
DE.CM-09Secrets scanning + dependency monitoring on every push/PR[OK] PASSCC7.1A.8.7, A.8.16
RS.MA-01Incident Response Plan exists[OK] PASSCC7.3, CC7.4A.5.24, A.5.26
RS.CO-02Vulnerability disclosure and security contact are published[OK] PASSCC7.3A.5.25, A.6.8
RC.RP-01IRP includes recovery procedures[OK] PASSCC7.5A.5.29, A.5.30

GAPS // 3 CONTROLS

IDSTATUSEVIDENCE
GV.SC-01[!!] PARTIAL2 third-party services identified, 0 open advisories tracked. A supply-chain program additionally requires supplier agreements, risk tiering, and periodic review (not scanner-verifiable).
ID.RA-01[!!] PARTIALCritical: 1, High: 3, Medium: 1
PR.DS-01[XX] FAIL10 data collection points. 10 with undefined retention.