Skip to main content

Terraform static analysis for RBI/DPDPA compliance requirements

Project description

terraform-rbi-compliance-scanner

A Terraform static analysis tool that checks infrastructure code against RBI cybersecurity guidance and India's DPDPA data protection requirements not just generic cloud security best practices.

Most open-source IaC scanners (Checkov, tfsec, Terrascan) check for general misconfigurations like "is this S3 bucket public." They don't know anything about India-specific regulatory requirements like data localization mandates for financial data. This tool fills that gap.

Why this exists

"Is my S3 bucket public?" and "does my S3 bucket meet Indian data localization requirements?" are different questions and only the first one is covered by existing scanning tools. This project encodes the second kind of question as automated, CI/CD-enforceable rules.

Quick start

git clone https://github.com/swayam-crypto/terraform-rbi-compliance-scanner.git
cd terraform-rbi-compliance-scanner
pip install -r requirements.txt

PYTHONPATH=src python -m compliance_scanner.cli --path ./examples/sample_infra

Example output:

3 compliance violation(s) found:

[CRITICAL] RBI-001 — aws_s3_bucket.customer_transactions
  Resource 'customer_transactions' appears to hold sensitive financial/
  customer data but is provisioned in 'us-east-1', outside India.
  RBI data localization rules likely require ap-south-1 or ap-south-2.
  Reference: RBI Cybersecurity Framework — Data Localization requirement

Rules implemented

See docs/RULES.md for the full list and what each one checks.

Architecture

See docs/ARCHITECTURE.md for how the parser, rule engine, and reporting layers fit together, and the reasoning behind the design choices.

Running tests

pip install -r requirements-dev.txt
PYTHONPATH=src python -m pytest tests/ -v

CI/CD integration

This repo includes a working GitHub Actions workflow (.github/workflows/scan.yml) that runs the test suite and scans the example infrastructure on every push and pull request, failing the build if a critical violation is found. Point --path at your own Terraform directory to use it on real infrastructure.

Status

Early-stage, actively being built. Currently implements 2 of a planned 6 rules. Not yet validated by a compliance professional — see the disclaimer in docs/RULES.md.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rbi_compliance_scanner-0.2.0.tar.gz (16.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rbi_compliance_scanner-0.2.0-py3-none-any.whl (21.8 kB view details)

Uploaded Python 3

File details

Details for the file rbi_compliance_scanner-0.2.0.tar.gz.

File metadata

  • Download URL: rbi_compliance_scanner-0.2.0.tar.gz
  • Upload date:
  • Size: 16.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for rbi_compliance_scanner-0.2.0.tar.gz
Algorithm Hash digest
SHA256 7dcf9d3c2098f97e7ee20a060535c22ef42b0b78c2aa0577fd9163c1e4a396f9
MD5 7c1b20e547c93eac01551d45e095a9c0
BLAKE2b-256 12da68ba5bbc54d274b7ede14995b0fbcff81605b077565494022b3eeb64a632

See more details on using hashes here.

Provenance

The following attestation bundles were made for rbi_compliance_scanner-0.2.0.tar.gz:

Publisher: publish.yml on swayam-crypto/terraform-rbi-compliance-scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file rbi_compliance_scanner-0.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for rbi_compliance_scanner-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 19aa5ee2cf9399d4eb04bd4218e50c8c352bc71f0e021d032b6dcf302010700c
MD5 0fc173feb1c27a832a5977e8c5abd561
BLAKE2b-256 b012a13050183636ccdfad274d8af8ec9479f7533583bf88c19b89d762d96eed

See more details on using hashes here.

Provenance

The following attestation bundles were made for rbi_compliance_scanner-0.2.0-py3-none-any.whl:

Publisher: publish.yml on swayam-crypto/terraform-rbi-compliance-scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page