Skip to main content

Terraform static analysis for RBI/DPDPA compliance requirements

Project description

terraform-rbi-compliance-scanner

A Terraform static analysis tool that checks infrastructure code against RBI cybersecurity guidance and India's DPDPA data protection requirements not just generic cloud security best practices.

Most open-source IaC scanners (Checkov, tfsec, Terrascan) check for general misconfigurations like "is this S3 bucket public." They don't know anything about India-specific regulatory requirements like data localization mandates for financial data. This tool fills that gap.

Why this exists

"Is my S3 bucket public?" and "does my S3 bucket meet Indian data localization requirements?" are different questions and only the first one is covered by existing scanning tools. This project encodes the second kind of question as automated, CI/CD-enforceable rules.

Quick start

git clone https://github.com/swayam-crypto/terraform-rbi-compliance-scanner.git
cd terraform-rbi-compliance-scanner
pip install -r requirements.txt

PYTHONPATH=src python -m compliance_scanner.cli --path ./examples/sample_infra

Example output:

3 compliance violation(s) found:

[CRITICAL] RBI-001 — aws_s3_bucket.customer_transactions
  Resource 'customer_transactions' appears to hold sensitive financial/
  customer data but is provisioned in 'us-east-1', outside India.
  RBI data localization rules likely require ap-south-1 or ap-south-2.
  Reference: RBI Cybersecurity Framework — Data Localization requirement

Rules implemented

See docs/RULES.md for the full list and what each one checks.

Architecture

See docs/ARCHITECTURE.md for how the parser, rule engine, and reporting layers fit together, and the reasoning behind the design choices.

Running tests

pip install -r requirements-dev.txt
PYTHONPATH=src python -m pytest tests/ -v

CI/CD integration

This repo includes a working GitHub Actions workflow (.github/workflows/scan.yml) that runs the test suite and scans the example infrastructure on every push and pull request, failing the build if a critical violation is found. Point --path at your own Terraform directory to use it on real infrastructure.

Status

Early-stage, actively being built. Currently implements 2 of a planned 6 rules. Not yet validated by a compliance professional — see the disclaimer in docs/RULES.md.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rbi_compliance_scanner-0.1.0.tar.gz (15.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rbi_compliance_scanner-0.1.0-py3-none-any.whl (18.9 kB view details)

Uploaded Python 3

File details

Details for the file rbi_compliance_scanner-0.1.0.tar.gz.

File metadata

  • Download URL: rbi_compliance_scanner-0.1.0.tar.gz
  • Upload date:
  • Size: 15.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for rbi_compliance_scanner-0.1.0.tar.gz
Algorithm Hash digest
SHA256 9dd6fdb1fb9ccaa89c7dbbb43cc51674fed0b9b9e752ccde7f107212ca9fb126
MD5 6b775d99d9a597683ea17aba9dbae301
BLAKE2b-256 7bfb7ced0ff5aafeabf79e6ce493412d21a5ac950c68e219d446b7524c9ff0f7

See more details on using hashes here.

File details

Details for the file rbi_compliance_scanner-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for rbi_compliance_scanner-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f61a29ef1bf61403db62a6355db68262d0b03b3a6d79c1c17a175ea577c74577
MD5 8321dba572dd09daa57a8e5b9af427fb
BLAKE2b-256 98a7859161cacab5bf8e65d168c8bf195c5b870ae343d80e15ff2feeb02d476a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page