audit-ready-pr-reviewer

Audit-Ready PR Reviewer

Reviews GitHub/GitLab pull requests specifically for compliance regressions. Shifts compliance "left" into the developer's daily workflow.

Quick Commands

Review a PR for SOC 2 compliance:

node scripts/review-pr.js myorg/infrastructure 42 SOC2

Review a PR for ISO 27001:

node scripts/review-pr.js myorg/infrastructure 42 ISO27001

Review a PR with custom framework:

node scripts/review-pr.js myorg/infrastructure 42 NIST80053

What It Checks

• Privilege Escalation - Detects overly permissive IAM roles/policies
• Encryption - Flags missing encryption at rest or in transit
• Tagging/Labeling - Ensures required tags/labels are present
• Network Security - Validates VPC configurations, security groups
• Access Controls - Checks authentication and authorization
• Logging - Verifies audit logging is enabled
• Backup/Recovery - Ensures backup configurations

Output Format

Posts GitHub comments with:

• ⚠️ Warning level and control reference
• 📝 Description of the issue
• ✅ Suggested fix with code example
• 🔗 Link to relevant compliance control

Example Comment

⚠️ **Compliance Warning: SOC 2 CC6.1 - Least Privilege**

This PR introduces an IAM role with `AdministratorAccess`, which violates the Least Privilege principle.

**Issue:** Line 23 in `terraform/iam.tf` assigns full administrative access.

**Suggested Fix:**
```hcl
resource "aws_iam_role" "app_role" {
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Action = [
        "s3:GetObject",
        "s3:PutObject"
      ]
      Resource = "arn:aws:s3:::my-bucket/*"
    }]
  })
}

Control Reference: SOC 2 CC6.1, NIST 800-53 AC-6

## Prerequisites

- GitHub repository (owner/repo format)
- PR number
- `GITHUB_TOKEN` environment variable (requires `repo` scope)
- Optional: Framework name (defaults to SOC2)