Package com.cloudforgeci.api.core.rules
Class ComplianceMatrix
java.lang.Object
com.cloudforgeci.api.core.rules.ComplianceMatrix
Multi-framework compliance control mapping matrix.
Maps CloudForge CI security controls to requirements across multiple compliance frameworks:
- PCI-DSS v3.2.1
- HIPAA Security Rule
- SOC 2 Trust Services Criteria
- GDPR (General Data Protection Regulation)
- NIST SP 800-53
- FedRamp Moderate/High
This matrix helps organizations understand which infrastructure controls satisfy
requirements across multiple frameworks, reducing audit burden and demonstrating
comprehensive security coverage.
Each control maps to framework requirements with enforcement levels:
- REQUIRED - Must be implemented for framework compliance
- ADVISORY - Recommended but alternative controls acceptable
- NOT_APPLICABLE - Not relevant to this framework
Validation behavior depends on complianceMode:
- ENFORCE - REQUIRED controls block deployment, ADVISORY controls warn
- ADVISORY - All violations logged as warnings only
- DISABLED - No validation performed
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final recordFramework-specific requirement with enforcement level.static enumRequirement enforcement level for a control within a compliance framework.static enumSecurity control definitions mapped to framework requirements.static enumValidation result for a control check. -
Method Summary
Modifier and TypeMethodDescriptionstatic StringGenerate a deployment-specific compliance report showing which controls are enabled.static StringgenerateFrameworkChecklist(String framework) Generate a framework-specific requirements checklist.static StringGenerate a comprehensive compliance matrix report showing all controls and their mappings across frameworks.Get frameworks satisfied by current deployment configuration.static booleanisControlRequired(String frameworksStr, ComplianceMode mode, ComplianceMatrix.SecurityControl control) Check if a security control should be enforced based on compliance requirements.static booleanshouldWarnForControl(String frameworksStr, ComplianceMode mode, ComplianceMatrix.SecurityControl control, boolean isEnabled) Check if warnings should be logged for a disabled control.validateControl(ComplianceMatrix.SecurityControl control, String framework, boolean isEnabled, ComplianceMode complianceMode) Validates a control against framework requirements with complianceMode consideration.validateControlMultiFramework(ComplianceMatrix.SecurityControl control, String frameworksStr, boolean isEnabled, ComplianceMode complianceMode) Validates multiple frameworks against a control.
-
Method Details
-
generateMatrixReport
Generate a comprehensive compliance matrix report showing all controls and their mappings across frameworks. -
generateFrameworkChecklist
Generate a framework-specific requirements checklist. -
validateControl
public static ComplianceMatrix.ValidationResult validateControl(ComplianceMatrix.SecurityControl control, String framework, boolean isEnabled, ComplianceMode complianceMode) Validates a control against framework requirements with complianceMode consideration.- Parameters:
control- Security control to validateframework- Compliance framework (e.g., "SOC2", "PCI-DSS")isEnabled- Whether the control is currently enabledcomplianceMode- Compliance enforcement mode- Returns:
- Validation result (PASS, FAIL, or WARN)
-
validateControlMultiFramework
public static ComplianceMatrix.ValidationResult validateControlMultiFramework(ComplianceMatrix.SecurityControl control, String frameworksStr, boolean isEnabled, ComplianceMode complianceMode) Validates multiple frameworks against a control.- Parameters:
control- Security control to validateframeworksStr- Comma-separated list of frameworks (e.g., "SOC2,PCI-DSS")isEnabled- Whether the control is currently enabledcomplianceMode- Compliance enforcement mode- Returns:
- Worst validation result across all frameworks (FAIL > WARN > PASS)
-
generateDeploymentReport
Generate a deployment-specific compliance report showing which controls are enabled. -
getSatisfiedFrameworks
Get frameworks satisfied by current deployment configuration. -
isControlRequired
public static boolean isControlRequired(String frameworksStr, ComplianceMode mode, ComplianceMatrix.SecurityControl control) Check if a security control should be enforced based on compliance requirements.This method determines whether a control must be enabled based on:
- The selected compliance frameworks (e.g., "PCI-DSS,HIPAA")
- The compliance mode (ENFORCE, ADVISORY, DISABLED)
- The requirement level of the control in each framework
Enforcement logic:
- ENFORCE mode + control is REQUIRED in any framework → enforce (return true)
- ENFORCE mode + control is only ADVISORY → don't enforce (return false)
- ADVISORY mode → never enforce (return false, but may warn)
- DISABLED mode → never enforce (return false)
- No frameworks selected → never enforce (return false)
- Parameters:
frameworksStr- Comma-separated list of frameworks (e.g., "PCI-DSS,HIPAA,SOC2")mode- Compliance mode (ENFORCE, ADVISORY, or DISABLED)control- Security control to check- Returns:
- true if the control should be enforced (must be enabled)
-
shouldWarnForControl
public static boolean shouldWarnForControl(String frameworksStr, ComplianceMode mode, ComplianceMatrix.SecurityControl control, boolean isEnabled) Check if warnings should be logged for a disabled control.Warnings are generated when:
- Control is disabled (isEnabled = false)
- Mode is ADVISORY or ENFORCE
- At least one framework has requirements (REQUIRED or ADVISORY)
- Parameters:
frameworksStr- Comma-separated list of frameworksmode- Compliance modecontrol- Security control to checkisEnabled- Whether the control is currently enabled- Returns:
- true if warnings should be logged
-