Verify SBOM attestation

June 2, 2026 Β· View on GitHub

Hack23 Logo

πŸ›‘οΈ Riksdagsmonitor β€” Security Architecture

πŸ” Defense-in-Depth Protection for Swedish Parliament Transparency
🎯 Comprehensive Security Framework for Political Intelligence Platform

Owner Version Effective Date Review Cycle OpenSSF Best Practices

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 2.5 | πŸ“… Last Updated: 2026-06-02 (UTC)
πŸ”„ Review Cycle: Annual | ⏰ Next Review: 2027-06-02
🏒 Owner: Hack23 AB (Org.nr 5595347807) | 🏷️ Classification: Public


DocumentFocusDescription
Security ArchitectureπŸ›‘οΈ SecurityCurrent document β€” Defense-in-depth controls
Threat Model🎯 ThreatsSTRIDE/MITRE ATT&CK analysis
Future Security ArchitectureπŸš€ Security RoadmapPlanned security improvements
ArchitectureπŸ›οΈ C4 ModelsSystem structure and components
Data ModelπŸ“Š DataEntities, schemas, relationships
FlowchartsπŸ”„ ProcessesProcess flows and pipelines
State DiagramsπŸ”„ BehaviorSystem state transitions
MindmapsπŸ—ΊοΈ ConceptsConceptual system maps
SWOT AnalysisπŸ’Ό StrategyStrategic position assessment
Future ArchitectureπŸš€ ArchitectureArchitectural evolution roadmap
Future Data ModelπŸš€ DataEnhanced data architecture
Future FlowchartsπŸš€ ProcessesImproved process workflows
Future State DiagramsπŸš€ BehaviorAdvanced state management
Future MindmapsπŸš€ ConceptsCapability expansion maps
Future SWOTπŸš€ StrategyFuture strategic opportunities
WorkflowsπŸ”§ DevOpsCI/CD automation and pipelines
CRA Assessmentβš–οΈ ComplianceEU Cyber Resilience Act conformity

Hack23 ISMS Policy References

PolicyFocusLink
Secure Development PolicySDLC security, architecture requirementsSecure_Development_Policy.md
Open Source PolicyOSS governance, license complianceOpen_Source_Policy.md
CRA Conformity Assessment ProcessCRA self-assessment templateCRA_Conformity_Assessment_Process.md
Threat Modeling PolicySTRIDE/MITRE ATT&CK methodologyThreat_Modeling.md
Classification FrameworkCIA triad, RTO/RPOCLASSIFICATION.md
gh-aw ArchitectureThree-layer agentic workflow security modelgh-aw Architecture

πŸ“‹ Table of Contents


🎯 Executive Summary

Riksdagsmonitor is a web platform providing Swedish Parliament intelligence and election monitoring capabilities. This document outlines the security architecture aligned with Hack23 AB's Information Security Management System (ISMS), Classification Framework, and compliance frameworks (ISO 27001, NIST CSF 2.0, CIS Controls v8.1).

Security Posture: Defense-in-depth architecture with dual-deployment (AWS CloudFront/S3 multi-region primary, GitHub Pages disaster recovery), HTTPS-only access, comprehensive CI/CD security controls, and SLSA Build Provenance attestations.

For complete CI/CD workflow documentation, see WORKFLOWS.md.


πŸ” ISMS Policy Alignment

Riksdagsmonitor security architecture is governed by and aligned with Hack23 AB's comprehensive Information Security Management System (ISMS). This ensures consistent security practices across all organizational assets.

πŸ“œ Governing Policies

Policy DocumentPurposeApplication to Riksdagsmonitor
Information Security PolicyOrganization-wide security governanceEstablishes security objectives, risk management framework, and accountability
Secure Development PolicySecure SDLC requirementsMandates security documentation (SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, FUTURE_SECURITY_ARCHITECTURE.md), code scanning, vulnerability management
Classification FrameworkInformation classification schemeDefines handling requirements for Public/Internal/Confidential/Restricted data (see Β§2.3)
Incident Response PolicySecurity incident proceduresProvides escalation paths, response team structure, lessons learned process (see Β§2.7)
Access Control PolicyIdentity and access managementDefines MFA requirements, least privilege principles, access review cycles (see Β§2.1)

🎯 Policy Compliance Summary

  • βœ… Security Documentation: Complete (SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, FUTURE_SECURITY_ARCHITECTURE.md)
  • βœ… Code Scanning: CodeQL, Dependabot, Secret Scanning enabled
  • βœ… Access Controls: MFA enforced, SSH keys, GPG signing mandatory
  • βœ… Vulnerability Management: SLAs defined (Critical: 24h, High: 7d, Medium: 30d, Low: 90d)
  • βœ… Incident Response: Documented procedures with escalation to CISO
  • βœ… Data Classification: Information classification scheme applied (Β§2.3)
  • βœ… Compliance Frameworks: ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1 mapped (Β§3)

Policy Review Cycle: All referenced policies reviewed annually by CISO. Next ISMS policy review: 2027-01-31.

1. πŸ—οΈ System Overview

1.1 🎯 Purpose and Scope

Purpose:

  • Monitor Swedish Riksdag political activity
  • Provide real-time intelligence on 349 MPs
  • Track coalition stability and election predictions
  • Deliver functional CIA-platform dashboards: committee, coalition, election-cycle, risk, anomaly detection, party, seasonal, pre-election, ministry, and politician analyses
  • OSINT-powered political transparency

Scope:

  • Web application with HTML/CSS/JavaScript (Chart.js, D3.js)
  • Functional dashboards bundled by Vite into hashed ES modules, lazy-loaded via IntersectionObserver (Chart.js, D3.js)
  • Multi-language support (14 languages)
  • CIA data integration with local CSV caching
  • AWS CloudFront + S3 hosting infrastructure (Primary)
  • GitHub Pages hosting infrastructure (Disaster Recovery)
  • AWS Route 53 DNS with health checks and automatic failover

1.2 πŸ” AWS Security Controls

AWS Infrastructure Security (Primary Deployment):

  • πŸ”‘ Authentication & Access Control:

    • GitHub Actions OIDC integration for AWS authentication (ephemeral credentials)
    • No long-lived AWS access keys or IAM user credentials stored
    • Least-privilege IAM roles with time-limited session tokens
    • S3 bucket policies restrict access to CloudFront Origin Access Identity only
  • πŸ“Š Audit Logging & Monitoring:

    • AWS CloudTrail enabled for all API activity logging
    • 90-day log retention in dedicated S3 audit bucket
    • CloudWatch metrics for S3, CloudFront, and Route 53
    • Real-time alerting on security events and anomalies
  • πŸ”’ Data Protection:

    • S3 server-side encryption at rest (AES-256)
    • S3 bucket versioning enabled for rollback capability
    • Cross-region replication (typically within minutes) (us-east-1 β†’ eu-west-1)
    • TLS 1.3 encryption in transit via CloudFront
  • πŸ›‘οΈ DDoS & Threat Protection:

    • AWS Shield Standard (automatic DDoS protection)
    • CloudFront geographic restrictions capability
    • Planned request rate limiting via AWS WAF rate-based rules associated with CloudFront
    • AWS Web Application Firewall (WAF) planned for advanced application-layer threat protection and rate limiting

1.3 Architecture Diagram

graph TB
    User[User Browser]
    Route53[AWS Route 53<br/>DNS + Health Checks]
    
    subgraph "Primary: AWS Infrastructure"
        CF[CloudFront CDN<br/>600+ Edge Locations]
        S3US[S3 Bucket us-east-1<br/>Primary Storage + Versioning]
        S3EU[S3 Bucket eu-west-1<br/>Cross-region Replica<br/>Active Failover Origin]
    end
    
    subgraph "Disaster Recovery: GitHub"
        GHCDN[GitHub Pages CDN<br/>Standby Deployment]
    end
    
    subgraph "GitHub Infrastructure"
        GitHubRepo[GitHub Repository<br/>main branch]
        Actions[GitHub Actions<br/>CI/CD Dual Deploy]
        Security[Security Scanning<br/>Dependabot, CodeQL, Secrets]
    end
    
    CIA[CIA Platform<br/>www.hack23.com/cia]
    
    User -->|DNS Query| Route53
    Route53 -->|DNS Response: CloudFront Primary| User
    Route53 -.->|DNS Response: GitHub Pages on Failover| User
    User -->|HTTPS Only TLS 1.3| CF
    User -.->|HTTPS Only TLS 1.3 (DR)| GHCDN
    
    CF -->|Cache Miss| S3US
    CF -.->|Origin Failover on 5xx errors| S3EU
    S3US -->|Async Cross-Region Replication (&lt;15 min RPO)| S3EU
    
    User -->|External Links| CIA
    
    GHCDN --> GitHubRepo
    Actions -->|Deploy| S3US
    Actions -->|Deploy| GitHubRepo
    Security -->|Monitor| GitHubRepo
    
    style User fill:#e1f5ff,color:#000000
    style Route53 fill:#ff9800,color:#000000
    style CF fill:#4caf50,color:#000000
    style S3US fill:#2196f3,color:#ffffff
    style GHCDN fill:#90caf9,color:#000000
    style Actions fill:#ff9800,color:#000000
    style Security fill:#f44336,color:#ffffff
    style CIA fill:#9c27b0,color:#ffffff

2. πŸ” Security Architecture Components

2.1 Authentication & Access Control

Public Access Model:

  • No Authentication Required: Static public website accessible to all
  • Content Management: GitHub repository access controlled via GitHub authentication
    • MFA required for all contributors
    • SSH keys with passphrase protection
    • GPG signing required for commits
    • Branch protection rules enforced

Control Mapping:

  • ISO 27001: A.9.2 User Access Management
  • NIST CSF 2.0: PR.AC-1 (Identities and credentials managed)
  • CIS Controls v8.1: 5.1 (Establish and Maintain an Inventory of Accounts)

2.2 Authorization Model

GitHub Repository Permissions:

  • Admin: Repository owners (Hack23 organization owners)
  • Write: Approved contributors with MFA
  • Read: Public access (website viewing)

CI/CD Pipeline Permissions:

  • Least privilege GitHub Actions permissions
  • Scoped GITHUB_TOKEN for workflow operations
  • Secrets management via GitHub Secrets

Control Mapping:

  • ISO 27001: A.9.4 System and Application Access Control
  • NIST CSF 2.0: PR.AC-4 (Access permissions managed)
  • CIS Controls v8.1: 6.8 (Define and Maintain Role-Based Access Control)

2.3 Data Security

Information Classification:

Following Hack23 AB ISMS information classification policy:

ClassificationData TypesHandling RequirementsStorage / Access Method
🟒 PublicWebsite content, Swedish Riksdag open data, documentationNo restrictions, TLS 1.3 in transitGitHub repository, AWS S3, GitHub Pages (CDN)
🟑 InternalGitHub Actions secrets, AWS credentials, deployment configsEncrypted at rest, MFA access, least privilegeGitHub Secrets, AWS IAM (ephemeral STS/OIDC)
🟠 ConfidentialNot applicableN/AN/A
πŸ”΄ RestrictedNot applicableN/AN/A

Data Inventory:

  • Public Data:
    • 14-language website (HTML/CSS)
    • Swedish Parliament data (349 MPs, 50+ years)
    • Election statistics, voting records
    • Government budget data
    • All source code and documentation
  • Internal Data:
    • GitHub repository and Actions access tokens (if used, e.g., optional PATs for local tooling)
    • AWS IAM credentials (ephemeral via OIDC)
    • GitHub Actions workflow secrets
  • No Sensitive End-User Data:
    • ❌ No end-user accounts or authentication features
    • ❌ No collection of non-public personal data from site users
    • ⚠️ Public personal data about Swedish public officials (e.g., names, person identifiers, roles) from Riksdag open data and cia-data datasets
      • Information classification: 🟒 Public (openly available data)
      • Privacy classification: Personal data – public-official (GDPR/PII handling still applies despite public availability)

Data Protection Controls:

In Transit:

  • TLS 1.3 encryption (AWS CloudFront + GitHub Pages)
  • HTTPS-only access enforced
  • HSTS headers configured (max-age=31536000)
  • Certificate transparency monitoring

At Rest:

  • AWS S3 server-side encryption (AES-256)
  • GitHub repository encryption at rest
  • GitHub Secrets encryption (Libsodium sealed boxes)
  • Immutable Git history for audit trail
  • S3 versioning enabled for rollback capability

Access Controls:

  • Public data: No authentication (intentionally public)
  • Internal data: GitHub MFA, SSH keys, GPG signing
  • AWS credentials: Ephemeral OIDC tokens only (no long-lived keys)
  • Least privilege IAM roles

Data Lifecycle:

  • Creation: Git commits with GPG signing
  • Storage: GitHub + AWS S3 with versioning
  • Access: TLS 1.3 encrypted channels only
  • Retention: Indefinite (public data), 90 days (AWS CloudTrail logs)
  • Deletion: Git history retained, S3 versioning for recovery

Control Mapping:

  • ISO 27001: A.5.10 (Acceptable use - data classification), A.10.1 (Cryptographic controls)
  • NIST CSF 2.0: PR.DS-1 (Data-at-rest protected), PR.DS-2 (Data-in-transit protected)
  • CIS Controls v8.1: 3.1 (Establish data management), 3.10 (Encrypt data in transit)

2.4 Network Security

AWS CloudFront Infrastructure (Primary):

  • DDoS Protection: AWS Shield Standard (automatic protection)
  • CDN: 600+ global edge locations
  • WAF: Available for application-layer protection (roadmap: 2027 Q2)
  • TLS: CloudFront managed certificates with TLS 1.3
  • Firewall: AWS infrastructure-level protection

GitHub Pages Infrastructure (Disaster Recovery):

  • DDoS Protection: GitHub infrastructure-level protection
  • CDN: GitHub Pages CDN for global distribution
  • Firewall: GitHub-managed infrastructure firewall

Security Headers (Target Configuration - AWS CloudFront Response Headers Policy):

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://raw.githubusercontent.com
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

Note: CSP style-src includes 'unsafe-inline' for Chart.js/D3.js inline styles; script-src uses 'self' plus per-script sha256 hashes for the small bootstrap snippets (no 'unsafe-inline' for scripts). The connect-src directive includes https://raw.githubusercontent.com to allow fetching CIA CSV data from the cia repository. Security headers are configured via AWS CloudFront Response Headers Policy for the primary deployment. GitHub Pages disaster recovery inherits default GitHub Pages security headers. Chart.js, D3.js, chartjs-plugin-annotation and Mermaid are hosted locally on CloudFront (js/lib/) rather than via external CDN, eliminating external script dependencies (CI-enforced by tests/no-external-cdn.test.ts).

Control Mapping:

  • ISO 27001: A.13.1 Network Security Management
  • NIST CSF 2.0: PR.AC-5 (Network integrity protected)
  • CIS Controls v8.1: 13.1 (Centralize Security Event Alerting)

2.5 Application Security

Web Application Security:

  • Client-Side JavaScript: Chart.js and D3.js for interactive dashboards
    • All dashboards are functional TypeScript modules under src/browser/dashboards/, bundled by Vite into hashed ES modules and lazy-loaded on demand via an IntersectionObserver β€” each module's import() fires only when its container scrolls into view
    • The homepage (src/browser/main.ts) registers 11 specialised dashboards; the CIA Intelligence Dashboard page (dashboard/index*.html) is orchestrated by src/browser/cia/dashboard-init.ts
    • No inline application scripts and no HTML-only placeholder sections remain β€” every dashboard section initialises real JavaScript
  • XSS Mitigation: Content Security Policy (CSP) headers with script-src restrictions
  • Input Sanitization: CIA CSV data is subjected to best-effort, non-blocking schema validation during CI/data-integration workflows (e.g., .github/workflows/validate-cia-data.yml); validation failures currently surface as warnings rather than blocking publication, and client-side code then parses this CSV (D3 CSV utilities/custom parsers) and applies basic sanity checks prior to rendering via Chart.js/D3.js
  • External Dependencies:
    • Chart.js v4.4.1 (hosted locally on CloudFront/S3 at js/lib/chart.umd.4.4.1.js)
    • chartjs-plugin-annotation v3.0.1 (hosted locally on CloudFront/S3 at js/lib/chartjs-plugin-annotation.3.0.1.min.js)
    • chartjs-adapter-date-fns v3.0.0 bundle (hosted locally on CloudFront/S3 at js/lib/chartjs-adapter-date-fns.3.0.0.bundle.min.js) - for time-series charts
    • D3.js v7.9.0 (hosted locally on CloudFront/S3 at js/lib/d3.7.9.0.min.js)
    • Papa Parse v5.5.3 (hosted locally on CloudFront/S3 at js/lib/papaparse.5.5.3.min.js) - for CSV parsing
    • Google Fonts (Inter, Orbitron, Share Tech Mono - via fonts.googleapis.com and fonts.gstatic.com CDN)
  • CIA Data Integration: Fetches CSV data from https://raw.githubusercontent.com/Hack23/cia/ that is subject to non-blocking CI schema validation checks in pre-processing (e.g., .github/workflows/validate-cia-data.yml), with local caching for performance; the browser consumes this dataset which may contain validation warnings
  • No User Input Processing: Dashboards do not accept or process arbitrary user input; they display pre-processed CIA data generated upstream in CI/data pipelines that has passed non-blocking schema validation checks where configured
  • No Server-Side Code: Static hosting eliminates injection vulnerabilities

Dashboard Security:

  • Functional Dashboard Modules (all initialise Chart.js / D3.js):
  1. Committee Dashboard (src/browser/dashboards/committees-dashboard.ts) βœ…
  2. Coalition Dashboard (src/browser/dashboards/coalition-dashboard.ts + coalition-loader.ts) βœ…
  3. Election Cycle Dashboard (src/browser/dashboards/election-cycle.ts) βœ…
  4. Risk Dashboard (src/browser/dashboards/risk-dashboard.ts) βœ…
  5. Anomaly Detection Dashboard (src/browser/dashboards/anomaly-detection.ts β€” standalone timeline, Z-score distribution, type, and quarterly-frequency charts) βœ…
  6. Party Performance Dashboard (src/browser/dashboards/party-dashboard.ts) βœ…
  7. Seasonal Patterns Dashboard (src/browser/dashboards/seasonal-patterns.ts) βœ…
  8. Pre-Election Monitoring Dashboard (src/browser/dashboards/pre-election.ts) βœ…
  9. Ministry Dashboard (src/browser/dashboards/ministry-dashboard.ts) βœ…
  10. Politician Dashboard (src/browser/dashboards/politician-dashboard.ts) βœ…

Dependency Management:

  • Chart.js, D3.js, chartjs-plugin-annotation, chartjs-adapter-date-fns, and Papa Parse hosted locally on CloudFront/S3 (js/lib/); versions reviewed manually at least quarterly and after critical CVE disclosures
  • Library file integrity can be verified via SHA-256 hashes if needed for deployment validation (not required for runtime as served from same origin)
  • Dependabot configured for GitHub Actions workflows (.github/dependabot.yml) and automated dependency risk assessment for repository-managed components via GitHub dependency-review and Dependabot alerts
  • Supply chain security scanning via CodeQL and OpenSSF Scorecards

Control Mapping:

  • ISO 27001: A.14.2 Security in Development and Support
  • NIST CSF 2.0: PR.IP-12 (A vulnerability management plan developed)
  • CIS Controls v8.1: 16.1 (Establish and Maintain a Secure Application Development Process)

2.5.1 News Pipeline Sanitisation Chain

The news-generation pipeline (scripts/aggregate-analysis.ts β†’ scripts/render-articles.ts β†’ scripts/render-lib/) produces HTML articles from AI-authored markdown artifacts under analysis/daily/$DATE/$SUB/. The AI-authored markdown is an untrusted input from the perspective of the renderer; the sanitisation chain is therefore a primary output-encoding control for the platform.

Sanitisation chain (input β†’ output trust boundary)

analysis/daily/$DATE/$SUB/*.md          (untrusted AI authored markdown)
           β”‚
           β–Ό
gray-matter frontmatter extraction       (structural only β€” no HTML)
           β”‚
           β–Ό
unified + remark-parse + remark-gfm      (markdown β†’ MDAST)
           β”‚
           β–Ό
remark-rehype + rehype-raw               (MDAST β†’ HAST; raw HTML islands preserved)
           β”‚
           β–Ό
rehype-sanitize  ◄─── TRUST BOUNDARY     (allow-list enforcement)
           β”‚
           β–Ό
rehype-slug + rehype-autolink-headings   (stable anchors for TOC)
           β”‚
           β–Ό
rehype-stringify                         (HAST β†’ serialised HTML)
           β”‚
           β–Ό
scripts/render-lib/chrome.ts             (JSON-LD NewsArticle, SEO, lang switcher)
           β”‚
           β–Ό
news/$DATE-$SUB-{en,sv}.html             (trusted output)

rehype-sanitize allow-list

The sanitiser is configured with an explicit allow-list (schema) rather than a blocklist. Only these elements and attributes survive the boundary:

CategoryAllowedRationale
Block textp, h1–h6, blockquote, pre, hrStandard article structure
Inline text`a[hreftitle
Listsul, ol, liMarkdown lists
Tablestable, thead, tbody, tr, th[scope], td, captionGFM tables (accessibility-aware)
Images`img[srcalt
Figuresfigure, figcaptionDiagram captions and accessible text equivalents
Disclosuredetails, summaryMermaid diagram source fallback (WCAG 2.1 AA text equivalent)
Extensionpre.mermaidClient-side Mermaid rendering β€” see below

URL-bearing attributes (href, src) are filtered to the following schemes: http:, https:, mailto:, plus data:image/{png,jpeg,gif,webp,svg+xml} for embedded images only. Rejected: javascript:, vbscript:, non-image data:, file:, chrome:, and all other URI schemes.

Explicitly rejected elements (removed without error so AI-authored content cannot escape the sandbox): script, iframe, object, embed, form, input, button, style, link, meta, base, applet, frame, frameset, and every on* event handler attribute.

Mermaid client-side rendering trust boundary

Mermaid diagrams are the only HTML extension permitted past the sanitiser. They are handled as follows:

  1. Source β€” a ```mermaid fenced block in the .md artifact is passed through by remark-parse as a code node with lang: mermaid.
  2. Transform β€” the renderer emits the node as <pre class="mermaid">…source…</pre> so the sanitiser's pre[class|lang] rule lets it through.
  3. Accessibility wrapping β€” each Mermaid block is wrapped in <figure> with a <figcaption> and a <details>-wrapped plain-text fallback containing the source (WCAG 2.1 AA text equivalent).
  4. Render-time β€” scripts/render-lib/chrome.ts conditionally injects <script type="module" src="/js/lib/mermaid-init.mjs"></script> only when at least one <pre class="mermaid"> survived sanitisation.
  5. Runtime sandboxing β€” mermaid-init.mjs imports Mermaid via native ESM dynamic import() and calls mermaid.initialize({ startOnLoad: false, securityLevel: 'strict' }). securityLevel: 'strict' disables Mermaid's own click-handler and interaction features, so a malicious Mermaid diagram cannot execute JavaScript even if the DSL is exploited.
  6. CSP β€” the global Content-Security-Policy forbids 'unsafe-eval'. Mermaid's strict-mode parser does not require eval; this has been validated and is documented in the deployment runbook.

The trust boundary is therefore: AI β†’ markdown β†’ Mermaid DSL β†’ SVG β€” never AI β†’ JavaScript.

Relative markdown links inside aggregated artifacts (e.g. [methodology](../methodologies/devils-advocate.md)) would resolve against news/ in the published output and 404. The aggregator rewrites every relative .md, .json, and .html link to an absolute https://github.com/Hack23/riksdagsmonitor/blob/main/… URL before the sanitiser sees them. This is an output-encoding control: it removes a broken-link class and pins every citation to a content-addressable GitHub blob URL that serves as the provenance chain.

Provenance manifest (tamper detection)

The aggregator emits a .manifest.json sibling to each article.md listing every source artifact consumed, with a SHA-256 digest:

{
  "article": "analysis/daily/2026-04-24/propositions/article.md",
  "generated_at": "2026-04-24T04:12:31Z",
  "sources": [
    { "path": "analysis/daily/2026-04-24/propositions/executive-brief.md", "sha256": "…" },
    { "path": "analysis/daily/2026-04-24/propositions/synthesis.md",        "sha256": "…" },
    { "path": "analysis/methodologies/devils-advocate.md",                   "sha256": "…" }
  ]
}

The renderer emits the manifest contents into the NewsArticle.citation[] JSON-LD block, giving downstream consumers a cryptographic evidence chain: every claim in the HTML can be traced back to a specific SHA-256 of a specific markdown artifact at a specific timestamp.

Control Mapping:

  • ISO 27001:2022 A.8.28 (Secure coding) β€” allow-list sanitisation, explicit trust boundary, output encoding
  • ISO 27001:2022 A.8.25 (Secure development life cycle) β€” sanitiser schema is version-controlled and covered by dedicated unit tests
  • NIST CSF 2.0 PR.DS-6 (Integrity checking mechanisms) β€” SHA-256 manifest; drift detection at render time
  • NIST CSF 2.0 PR.PS-06 (Secure software development practices) β€” CI gate on sanitisation drops
  • CIS Controls v8.1 16.10 (Apply Secure Design Principles in Application Architectures) β€” input validation and output encoding at every trust boundary
  • CIS Controls v8.1 16.11 (Leverage Vetted Modules or Services) β€” unified/remark/rehype/gray-matter are vetted, pinned, and Dependabot-grouped

2.6 Monitoring & Logging

Security Monitoring:

  • GitHub Security Features:
    • Dependabot alerts for dependency vulnerabilities
    • Secret scanning for exposed credentials
    • Code scanning (CodeQL) for security issues
    • Security advisories tracking

Audit Logging:

  • Git Commit History: Immutable audit trail of all changes
  • GitHub Actions Logs: CI/CD pipeline execution logs
  • GitHub Audit Log: Organization-level access and change logs

Alert Mechanisms:

  • GitHub Security Advisories
  • Email notifications for security events
  • Pull request checks for quality gates

Control Mapping:

  • ISO 27001: A.12.4 Logging and Monitoring
  • NIST CSF 2.0: DE.CM-1 (The network is monitored)
  • CIS Controls v8.1: 8.2 (Collect Audit Logs)

2.7 Incident Response

Security Incident Procedures:

  1. Detection: GitHub security alerts, Dependabot, manual reporting
  2. Containment: Disable GitHub Pages, revert commits if needed
  3. Investigation: Review Git history, GitHub Actions logs
  4. Remediation: Apply security patches, update dependencies
  5. Recovery: Re-deploy verified secure version
  6. Lessons Learned: Update SECURITY_ARCHITECTURE.md and THREAT_MODEL.md

Incident Response Team:

  • Security Lead: James Pether SΓΆrling (CISSP, CISM)
  • Repository Owners: Hack23 organization admins
  • Escalation: Follow Hack23 ISMS Incident Response Plan

Control Mapping:

  • ISO 27001: A.16.1 Management of Information Security Incidents
  • NIST CSF 2.0: RS.CO-1 (Personnel know their roles and order of operations)
  • CIS Controls v8.1: 17.1 (Designate Personnel to Manage Incident Handling)

2.8 Release Security & Supply Chain Protection

SLSA Build Provenance Attestations:

  • Framework: SLSA (Supply Chain Levels for Software Artifacts) Level 2+
  • Implementation: GitHub Actions Attestations (actions/attest-build-provenance@v3.2.0)
  • Purpose: Cryptographically prove artifacts were built by trusted CI/CD pipeline
  • Verification: gh attestation verify riksdagsmonitor-vX.Y.Z.zip -R Hack23/riksdagsmonitor
  • Format: in-toto attestations (*.intoto.jsonl)

Software Bill of Materials (SBOM):

  • Format: SPDX (Software Package Data Exchange)
  • Generator: Anchore SBOM Action (anchore/sbom-action@v0.22.2)
  • Contents: Complete dependency inventory with versions and licenses
  • Attestation: SBOM also cryptographically signed (actions/attest-sbom@v3.0.0)
  • Purpose: Vulnerability tracking, license compliance, supply chain transparency
  • External MCP supplement: package.json x-external-mcp field records MCP servers outside the npm graph (Python, Docker, HTTP). It is currently empty β€” all economic-data clients (World Bank, SCB, IMF) ship as npm TypeScript (scripts/world-bank-client.ts, scripts/scb-client.ts, scripts/imf-client.ts) and are fully covered by the standard SPDX SBOM; see THREAT_MODEL.md TB-6a for the IMF client's threat model.

External Data Providers (parity across the three primary economic sources):

ProviderIntegrationTransport / HostsClassificationControls
SCB (Statistics Sweden)scb-mcp (local @jarib/pxweb-mcp@2.0.0)HTTPS (TLS 1.3) β†’ api.scb.se/OV0104/v2betaPublicEgress allowlist; MCP tool allow-list; graceful fallback; no auth
World Bankworld-bank-mcp (local worldbank-mcp@1.0.1) + scripts/world-bank-client.tsHTTPS (TLS 1.3) β†’ data.worldbank.org, api.worldbank.orgPublicEgress allowlist; npm SBOM coverage; response schema validation; no auth
IMF (new β€” ADR 0001)Pure-TypeScript client scripts/imf-client.ts (not MCP)HTTPS (TLS 1.3) β†’ data.imf.org, api.imf.org, www.imf.org (Datamapper JSON + SDMX 3.0)PublicEgress allowlist; npm SBOM coverage; DatamapperResponse schema + finite-numeric + year parse-guard validation; .meta.json tamper-evident cache sidecars under analysis/data/imf/; 3Γ— exponential back-off for rate-limit; graceful fallback; no auth

All three providers share: GitHub-runner root CA trust anchors, public-data classification, no API key, and optional-enrichment semantics (failure never blocks article generation or site availability).

Release Pipeline Security (3-job workflow):

  1. Prepare Job (15-20min):

    • Run comprehensive test suite (unit + E2E)
    • Generate all documentation (API, coverage, E2E reports, dependencies)
    • Deploy docs to GitHub Pages
    • Security: Read-only permissions, harden-runner enabled
  2. Build Job (5min):

    • Build production artifacts
    • Generate SBOM in SPDX format
    • Create SLSA Build Provenance attestation
    • Create SBOM attestation
    • Generate SHA-256 checksums
    • Security: Minimal write permissions (contents: write, attestations: write, id-token: write)
  3. Release Job (5-10min):

    • Create GitHub Release with all artifacts
    • Deploy to AWS S3/CloudFront (OIDC authentication)
    • Deploy to GitHub Pages (disaster recovery)
    • Invalidate CloudFront cache
    • Security: OIDC for AWS (no long-lived credentials), least-privilege IAM roles

Release Artifacts (per version):

  • riksdagsmonitor-vX.Y.Z.zip - Production build
  • riksdagsmonitor-vX.Y.Z.zip.sha256 - Integrity checksum
  • riksdagsmonitor-vX.Y.Z.spdx.json - SBOM
  • riksdagsmonitor-vX.Y.Z.zip.intoto.jsonl - Build provenance attestation
  • riksdagsmonitor-vX.Y.Z.spdx.json.intoto.jsonl - SBOM attestation

Documentation as Code: All technical reports automatically generated and committed to docs/ on each release:

  • docs/api/ - JSDoc API documentation
  • docs/coverage/ - Vitest test coverage (HTML + lcov)
  • docs/test-results/ - Vitest test results (JSON + HTML)
  • docs/cypress/ - Cypress E2E test reports
  • docs/dependencies/ - npm dependency tree (JSON + TXT)
  • docs/index.html - Documentation hub (cyberpunk-themed)

Verification Procedures:

# Verify build provenance attestation
gh attestation verify riksdagsmonitor-vX.Y.Z.zip -R Hack23/riksdagsmonitor

# Verify SBOM attestation
gh attestation verify riksdagsmonitor-vX.Y.Z.spdx.json -R Hack23/riksdagsmonitor

# Verify artifact integrity
sha256sum -c riksdagsmonitor-vX.Y.Z.zip.sha256

Control Mapping:

  • ISO 27001: A.8.30 (Secure coding), A.8.32 (Change management), A.14.2 (Security in development)
  • NIST CSF 2.0: PR.DS-6 (Integrity verification mechanisms), ID.SC-3 (Supply chain risk assessment)
  • CIS Controls v8.1: 16.6 (Application software security), 16.10 (Vulnerability remediation)

For complete release process documentation, see RELEASE_PROCESS.md and WORKFLOWS.md.

3. πŸ“‹ Compliance Mapping

3.1 ISO 27001:2022 Controls

ControlImplementationStatus
A.8.2Information classification scheme, data inventory, handling controlsβœ… Implemented
A.9.2GitHub MFA, SSH keys, GPG signingβœ… Implemented
A.9.4Repository permissions, least privilegeβœ… Implemented
A.10.1TLS 1.3, HTTPS-only, encryption at restβœ… Implemented
A.12.4Git history, GitHub audit logs, AWS CloudTrailβœ… Implemented
A.13.1AWS infrastructure, security headersβœ… Implemented
A.14.2Dependabot, CodeQL scanningβœ… Implemented
A.16.1Incident response proceduresβœ… Implemented

3.2 NIST CSF 2.0 Categories

FunctionCategoryImplementation
GOVERNAsset ManagementInformation classification scheme, data inventory
IDENTIFYAsset ManagementGitHub repository, static assets, data sources
PROTECTAccess ControlGitHub authentication, MFA, AWS OIDC
PROTECTData SecurityTLS 1.3, HTTPS-only, encryption at rest
DETECTSecurity MonitoringDependabot, CodeQL, secret scanning
RESPONDIncident ResponseDocumented procedures, escalation paths
RECOVERRecovery PlanningGit rollback, S3 versioning, multi-region replication

3.3 CIS Controls v8.1

IGControlImplementation
IG13.1 Establish Data ManagementInformation classification policy, data inventory
IG13.10 Encrypt Data in TransitTLS 1.3, HTTPS-only
IG15.1 Account InventoryGitHub organization audit
IG18.2 Collect Audit LogsGit history, GitHub Actions logs, AWS CloudTrail
IG26.8 Role-Based Access ControlGitHub repository permissions, AWS IAM
IG213.1 Security Event AlertingGitHub security alerts, AWS CloudWatch
IG216.1 Secure DevelopmentStatic site with reduced injection surface; mitigated via CSP/SRI/safe DOM handling; secure CI/CD

4. πŸ›‘οΈ Security Controls Summary

4.1 Preventive Controls

  1. Access Control:

    • GitHub MFA requirement
    • SSH key authentication with passphrase
    • GPG commit signing
    • Branch protection rules
    • AWS OIDC authentication (no long-lived credentials)
  2. Network Security:

    • HTTPS-only access (TLS 1.3)
    • Security headers (CSP, HSTS, X-Frame-Options, Permissions-Policy)
    • AWS CloudFront DDoS protection (AWS Shield Standard)
    • Route 53 health checks and automatic failover
    • GitHub infrastructure DDoS protection (DR)
  3. Development Security:

    • HTML/CSS/JavaScript with Chart.js and D3.js
    • CSP headers with SRI for CDN resources
    • No user input processing (display CIA data only)
    • Dependency scanning via GitHub Dependabot alerts
    • Code quality checks in CI/CD (HTMLHint, linkinator)
    • CIA data validation against JSON schemas

4.2 Detective Controls

  1. Security Monitoring:

    • Dependabot vulnerability alerts
    • Secret scanning
    • CodeQL static analysis
    • GitHub audit logs
  2. Quality Checks:

    • HTML validation (HTMLHint)
    • Link checking (linkinator)
    • Automated CI/CD pipeline checks

4.3 Corrective Controls

  1. Incident Response:

    • Documented procedures
    • Git rollback capability
    • Rapid re-deployment via GitHub Actions
  2. Patch Management:

    • Dependabot automatic updates
    • Rapid deployment via GitHub Actions
    • Version control for rollback

5. πŸ“ Security Assumptions and Constraints

5.1 Assumptions

  1. AWS Infrastructure: Trusted cloud provider with robust security
  2. GitHub Infrastructure: Trusted cloud provider with robust security (DR)
  3. Client-Side Security: Chart.js/D3.js libraries are secure, maintained, and hosted locally on CloudFront
  4. CloudFront Security: AWS CloudFront is trusted for static asset delivery with 99.9% SLA
  5. Public Data: All content is public information (Swedish Riksdag open data)
  6. External Dependencies: CIA platform (www.hack23.com/cia) maintains its own security
  7. Browser Security: Users have modern browsers with JavaScript enabled

5.2 Constraints

  1. AWS Infrastructure Limitations:

    • S3 static website limitations (no server-side code execution)
    • CloudFront caching behavior (potential stale content)
    • Cost constraints for high traffic scenarios
  2. GitHub Pages Limitations (DR):

    • No server-side code execution
    • No database access
    • Limited customization of HTTP headers
    • Fixed infrastructure (cannot modify underlying OS)
  3. Client-Side JavaScript Limitations:

    • Requires JavaScript enabled in browser
    • CSP 'unsafe-inline' needed for Chart.js/D3.js
    • Browser compatibility requirements (ES6+)
    • Limited control over client execution environment

6. ⚠️ Risk Assessment

6.1 Residual Risks

RiskLikelihoodImpactMitigation
AWS CloudFront/S3 OutageLowMediumGitHub Pages DR, documented failover
GitHub Platform Outage (DR)LowLowAWS primary handles traffic
DDoS Attack on AWSLowLowAWS Shield Standard, CloudFront protection
XSS via Chart.js/D3.jsLowMediumCSP headers, locally-hosted libraries (no external CDN), quarterly version reviews
Compromised GitHub AccountLowHighMFA, SSH keys, GPG signing
Chart.js/D3.js VulnerabilityMediumMediumLocally-hosted libraries with quarterly/CVE version reviews, deployment-time integrity verification, rapid version updates
CIA Data InjectionLowMediumSchema validation, local CSV caching
Content DefacementLowMediumGit rollback, branch protection, dual deployment
DNS Hijacking via Route 53Very LowHighDNSSEC (planned), IAM least privilege

6.2 Accepted Risks

  1. Client-Side JavaScript: Acceptable for interactive dashboards with CSP and SRI
  2. AWS Platform Dependency: Acceptable given AWS's security posture and GitHub Pages DR
  3. GitHub Platform Dependency (DR): Acceptable with AWS as primary
  4. External CIA Platform Dependency: Acceptable with documented availability in THREAT_MODEL.md
  5. CSP 'unsafe-inline': Acceptable for Chart.js/D3.js dashboard rendering (future: nonce-based CSP)

7. πŸ›οΈ Security Governance

7.1 Roles and Responsibilities

RoleResponsibility
Security ArchitectOverall security architecture and compliance
Repository OwnersAccess control, security monitoring
ContributorsSecure coding practices, MFA compliance
CISO (James Pether SΓΆrling)ISMS oversight, incident escalation

7.2 Review and Update Schedule

  • Security Architecture Review: Annual or after major changes
  • Threat Model Update: Quarterly or after incidents
  • Dependency Updates: Automated via Dependabot (weekly)
  • Access Control Review: Quarterly

8. βœ… Approval

RoleNameDateSignature
Security ArchitectJames Pether SΓΆrling, CISSP, CISM2026-02-10[Digital Signature]
Repository OwnerHack23 AB2026-02-10[Approved via Git Commit]


πŸ›‘οΈ Defense-in-Depth Strategy

Riksdagsmonitor implements a comprehensive defense-in-depth security strategy with six overlapping layers of protection. Each layer provides independent security controls, ensuring that compromise of a single layer does not result in complete system failure.

Security Layers

graph TB
    subgraph "Layer 6: Monitoring & Response"
        L6A[GitHub Security Alerts]
        L6B[AWS CloudWatch]
        L6C[Dependabot Monitoring]
        L6D[Incident Response Team]
    end
    
    subgraph "Layer 5: CI/CD Security"
        L5A[CodeQL SAST]
        L5B[Dependabot Updates]
        L5C[Secret Scanning]
        L5D[SLSA Attestations]
        L5E[step-security/harden-runner]
    end
    
    subgraph "Layer 4: Data Protection"
        L4A[TLS 1.3 Transit]
        L4B[AES-256 At Rest]
        L4C[S3 Versioning]
        L4D[Cross-Region Replication]
    end
    
    subgraph "Layer 3: Access Control"
        L3A[GitHub MFA]
        L3B[SSH Keys + Passphrase]
        L3C[GPG Commit Signing]
        L3D[AWS OIDC ephemeral credentials]
    end
    
    subgraph "Layer 2: Application Security"
        L2A[Content Security Policy]
        L2B[HSTS Headers]
        L2C[Subresource Integrity]
        L2D[XSS Protection]
    end
    
    subgraph "Layer 1: Network Security"
        L1A[AWS CloudFront CDN]
        L1B[AWS Shield Standard]
        L1C[AWS WAF on CloudFront (planned)]
        L1D[GitHub Infrastructure DR]
    end
    
    User[πŸ‘€ User/Attacker] --> L1A
    User -.->|DR Failover| L1D
    L1A --> L2A
    L2A --> L3A
    L3A --> L4A
    L4A --> L5A
    L5A --> L6A
    
    style User fill:#ff6b6b,color:#000000
    style L1A fill:#51cf66,color:#000000
    style L2A fill:#4dabf7,color:#000000
    style L3A fill:#ffd43b,color:#000000
    style L4A fill:#ff8787,color:#000000
    style L5A fill:#da77f2,color:#000000
    style L6A fill:#20c997,color:#000000

Layer 1: Network Security (Perimeter Defense)

Purpose: Protect against network-level attacks (DDoS, volumetric attacks, malicious traffic).

ControlTechnologyPurposeStatus
CDN ProtectionAWS CloudFront (600+ edge locations)Distribute traffic, absorb attacksβœ… Active
DDoS MitigationAWS Shield StandardAutomatic protection against common attacksβœ… Active
DNS ProtectionAWS Route 53 with health checksPrevent DNS-based attacks, enable failoverβœ… Active
Geographic FilteringCloudFront geo-restrictions capabilityBlock traffic from high-risk regions (configurable)πŸ”§ Available
Rate LimitingAWS WAF (planned 2027 Q2)Prevent abuse, scraping, brute forceπŸ“… Roadmap
DR InfrastructureGitHub Pages CDNIndependent infrastructure for resilienceβœ… Active

ISO 27001: A.13.1 (Network Security Management)
NIST CSF 2.0: PR.AC-5 (Network integrity protected)
CIS Controls v8.1: 13.1 (Centralize security event alerting)


Layer 2: Application Security (HTTP Defense)

Purpose: Protect against web application attacks (XSS, clickjacking, MIME sniffing).

ControlImplementationPurposeStatus
Content Security Policydefault-src 'self'; script-src 'self' 'unsafe-inline'Mitigate XSS attacksβœ… Active
HTTP Strict Transport Securitymax-age=31536000; includeSubDomainsEnforce HTTPS-onlyβœ… Active
X-Frame-OptionsDENYPrevent clickjackingβœ… Active
X-Content-Type-OptionsnosniffPrevent MIME sniffingβœ… Active
Referrer Policystrict-origin-when-cross-originControl referrer informationβœ… Active
Permissions PolicyDisable geolocation, microphone, cameraMinimize browser permissionsβœ… Active
Subresource IntegrityPlanned: SHA-384 hashes for third-party/CDN assets and critical local librariesVerify resource integrityπŸ”„ Planned

Note: CSP style-src includes 'unsafe-inline' for Chart.js/D3.js inline styles; script-src uses 'self' plus per-script sha256 hashes (no 'unsafe-inline' for scripts).

ISO 27001: A.14.2 (Security in development and support)
NIST CSF 2.0: PR.IP-12 (Vulnerability management plan)
CIS Controls v8.1: 16.1 (Secure application development process)


Layer 3: Access Control (Identity & Authorization)

Purpose: Ensure only authorized entities can modify code or infrastructure.

ControlImplementationScopeStatus
Multi-Factor AuthenticationGitHub MFA mandatoryAll contributorsβœ… Enforced
SSH Key AuthenticationPassphrase-protected keysGit operationsβœ… Enforced
GPG Commit SigningVerified commits requiredAll commits to mainβœ… Enforced
AWS OIDCEphemeral credentials (no long-lived keys)CI/CD AWS deploymentsβœ… Active
Branch ProtectionRequire reviews, status checksmain branchβœ… Active
Least Privilege IAMMinimal S3/CloudFront permissionsAWS resourcesβœ… Active
Repository PermissionsRBAC: Admin/Write/Read rolesGitHub accessβœ… Active

ISO 27001: A.9.2 (User access management), A.9.4 (System access control)
NIST CSF 2.0: PR.AC-1 (Identities and credentials managed), PR.AC-4 (Access permissions managed)
CIS Controls v8.1: 5.1 (Account inventory), 6.8 (Role-based access control)


Layer 4: Data Protection (Confidentiality & Integrity)

Purpose: Protect data in transit and at rest; enable recovery from data loss.

ControlTechnologyScopeStatus
TLS 1.3 EncryptionAWS CloudFront + GitHub PagesAll traffic in transitβœ… Active
AES-256 EncryptionS3 server-side encryptionData at rest (S3)βœ… Active
S3 VersioningEnabled on all bucketsRollback capabilityβœ… Active
Cross-Region Replicationus-east-1 β†’ eu-west-1 (<15 min)Disaster recovery, data durabilityβœ… Active
GitHub Secrets EncryptionLibsodium sealed boxesCI/CD secretsβœ… Active
Immutable Git HistoryCryptographic commit chainAudit trailβœ… Active
GPG SigningVerified commitsCommit integrityβœ… Active

RPO (Recovery Point Objective): <15 minutes (S3 cross-region replication)
RTO (Recovery Time Objective): <15 minutes (AWS primary), <30 minutes (GitHub Pages DR)

ISO 27001: A.10.1 (Cryptographic controls)
NIST CSF 2.0: PR.DS-1 (Data-at-rest protected), PR.DS-2 (Data-in-transit protected)
CIS Controls v8.1: 3.10 (Encrypt data in transit)


Layer 5: CI/CD Security (Supply Chain Protection)

Purpose: Prevent introduction of vulnerabilities during development and deployment.

ControlToolFrequencyStatus
SAST ScanningCodeQLEvery PRβœ… Active
Dependency ScanningDependabotDailyβœ… Active
Secret ScanningGitHub Secret ScanningEvery pushβœ… Active
SLSA AttestationsGitHub Attestations (Build Provenance + SBOM)Every releaseβœ… Active
Workflow Hardeningstep-security/harden-runnerEvery workflow runβœ… Active
SBOM GenerationAnchore SBOM Action (SPDX format)Every releaseβœ… Active
Automated UpdatesDependabot PRsWeeklyβœ… Active
Code ReviewRequired reviewersEvery PRβœ… Active

Supply Chain Security Level: SLSA Level 2+ (cryptographically signed build provenance)

ISO 27001: A.8.30 (Secure coding), A.8.32 (Change management), A.14.2 (Security in development)
NIST CSF 2.0: PR.DS-6 (Integrity verification), ID.SC-3 (Supply chain risk assessment)
CIS Controls v8.1: 16.6 (Application software security), 16.10 (Vulnerability remediation)


Layer 6: Monitoring & Response (Detection & Recovery)

Purpose: Detect security events, respond to incidents, and continuously improve security posture.

ControlToolDetection TypeStatus
Security AlertsGitHub Security AdvisoriesCVE notificationsβœ… Active
Dependency AlertsDependabotVulnerable dependenciesβœ… Active
Code VulnerabilitiesCodeQLSAST findingsβœ… Active
Secret ExposureGitHub Secret ScanningLeaked credentialsβœ… Active
Infrastructure MonitoringAWS CloudWatchPerformance & availabilityβœ… Active
Audit LoggingGitHub Audit Log + AWS CloudTrailAccess & change trackingβœ… Active
Incident ResponseDocumented procedures (Β§2.7)Security event handlingβœ… Active

Mean Time to Detect (MTTD): <24 hours (automated scanning)
Mean Time to Respond (MTTR): Critical: 24h, High: 7d, Medium: 30d, Low: 90d (see Β§Vulnerability Management)

ISO 27001: A.12.4 (Logging and monitoring), A.16.1 (Incident management)
NIST CSF 2.0: DE.CM-1 (Network monitored), RS.CO-1 (Personnel know roles)
CIS Controls v8.1: 8.2 (Collect audit logs), 17.1 (Designate incident handling personnel)


πŸ“œ Data Integrity & Auditing

Riksdagsmonitor maintains comprehensive data integrity controls and immutable audit trails to ensure trustworthiness of all content and changes.

Git Commit Integrity

MechanismImplementationPurposeStatus
GPG Commit SigningAll commits to main branch must be signedVerify author identityβœ… Enforced
Verified CommitsGitHub "Verified" badge on signed commitsVisual indicator of authenticityβœ… Active
Cryptographic ChainSHA-256 commit hashes form immutable chainPrevent history tamperingβœ… Active
Branch ProtectionRequire signed commits for mainPolicy enforcementβœ… Active

Verification Command:

git log --show-signature main
# or verify specific commit:
git verify-commit <commit-sha>

SLSA Build Provenance Attestations

Framework: SLSA (Supply Chain Levels for Software Artifacts) Level 2+
Purpose: Cryptographically prove artifacts were built by trusted CI/CD pipeline without tampering

ArtifactAttestation TypeVerification Command
riksdagsmonitor-vX.Y.Z.zipBuild Provenancegh attestation verify riksdagsmonitor-vX.Y.Z.zip -R Hack23/riksdagsmonitor
riksdagsmonitor-vX.Y.Z.spdx.jsonSBOM Attestationgh attestation verify riksdagsmonitor-vX.Y.Z.spdx.json -R Hack23/riksdagsmonitor

Attestation Format: in-toto (*.intoto.jsonl) - industry-standard supply chain metadata format

What SLSA Attestations Prove:

  1. βœ… Artifact was built by specific GitHub Actions workflow
  2. βœ… Build occurred in isolated GitHub runner environment
  3. βœ… No unauthorized modifications during build process
  4. βœ… Build inputs (source code commit SHA) are traceable
  5. βœ… Build outputs (artifacts) match declared provenance

Immutable Audit Trail

Log SourceRetentionScopeAccess
Git Commit HistoryPermanentAll code/content changesPublic (GitHub)
GitHub Audit Log90 days (free), 180 days (Enterprise)Org access, permission changesOrg admins
GitHub Actions Logs90 daysCI/CD workflow executionRepo admins
AWS CloudTrail90 daysAPI calls, IAM actions, S3 operationsAWS account admins
AWS CloudFront Access Logs90 daysHTTP requests, errors, traffic patternsAWS account admins

Integrity Verification

SHA-256 Checksums: Every release includes .sha256 file for artifact integrity verification

# Verify artifact integrity
sha256sum -c riksdagsmonitor-vX.Y.Z.zip.sha256

SBOM Integrity: Software Bill of Materials (SPDX format) cryptographically signed with SLSA attestation

  • Tracks all dependencies (name, version, license)
  • Enables vulnerability tracking across supply chain
  • Supports license compliance audits

ISO 27001: A.12.4 (Logging and monitoring), A.8.32 (Change management)
NIST CSF 2.0: PR.DS-6 (Integrity checking mechanisms)
CIS Controls v8.1: 8.2 (Collect audit logs), 8.5 (Collect detailed audit logs)


πŸ” Security Event Monitoring

Riksdagsmonitor implements continuous security monitoring with automated alerting and response workflows.

GitHub Security Features

FeatureDetection ScopeAlert MechanismAuto-Remediation
Dependabot Alertsnpm/GitHub Actions dependency vulnerabilitiesEmail + GitHub UIAutomated PRs for patches
Secret ScanningHardcoded credentials, API keys, tokensEmail + GitHub UI + Block pushManual rotation required
CodeQL ScanningSAST vulnerabilities (CWE-top 25)PR checks + GitHub UIManual code fix required
Security AdvisoriesCVEs affecting repositoryEmail + GitHub UIReview + response

Alert Severity Classification

SeverityCVSS ScoreResponse SLANotificationAuto-Actions
Critical9.0-10.024 hoursEmail + SlackDependabot PR (if available)
High7.0-8.97 daysEmail + SlackDependabot PR (if available)
Medium4.0-6.930 daysEmail weekly digestDependabot PR (if available)
Low0.1-3.990 daysEmail monthly digestDependabot PR (if available)

AWS CloudWatch Monitoring

Metrics Monitored:

  • CloudFront: Request count, error rates (4xx, 5xx), cache hit ratio, origin latency
  • S3: Bucket size, request metrics, replication lag
  • Route 53: Health check status, DNS query count, failover events

Alerting Thresholds:

  • CloudFront 5xx error rate >5% for 5 minutes β†’ PagerDuty alert
  • S3 replication lag >30 minutes β†’ Email alert
  • Route 53 health check failure (3 consecutive) β†’ Automatic DNS failover to GitHub Pages

Security Event Correlation

Event Types Tracked:

  1. Access Events: GitHub login, SSH key usage, AWS console access
  2. Change Events: Git commits, AWS resource modifications, DNS changes
  3. Security Events: Failed authentication, unauthorized access attempts, security scan findings
  4. Availability Events: Service outages, health check failures, high error rates

Correlation Analysis:

  • Multiple failed login attempts + successful login β†’ Potential account compromise
  • Unusual git commit pattern (time/frequency) β†’ Investigate for compromise
  • Spike in 5xx errors + CloudFront origin health check failure β†’ Trigger failover

ISO 27001: A.12.4 (Logging and monitoring), A.16.1 (Incident management)
NIST CSF 2.0: DE.CM-1 (Network monitored), DE.AE-3 (Event data aggregated and analyzed)
CIS Controls v8.1: 8.2 (Collect audit logs), 13.1 (Centralize security event alerting)


πŸ—οΈ High Availability Design

Riksdagsmonitor implements dual-deployment architecture with automatic failover to achieve 99.9%+ availability SLA.

Architecture Overview

graph TB
    User[πŸ‘€ User Request]
    
    subgraph "DNS Layer"
        Route53[AWS Route 53<br/>Health Checks + Failover]
    end
    
    subgraph "Primary Deployment - AWS"
        CF[CloudFront CDN<br/>600+ Edge Locations<br/>SLA: 99.9%]
        S3US[S3 us-east-1<br/>Primary Origin<br/>SLA: 99.99%]
        S3EU[S3 eu-west-1<br/>Failover Origin<br/>SLA: 99.99%]
        
        CF -->|Cache Miss| S3US
        CF -.->|Origin Failover<br/>on 5xx errors| S3EU
        S3US -.->|Async Replication<br/>RPO: <15 min| S3EU
    end
    
    subgraph "Disaster Recovery - GitHub"
        GHCDN[GitHub Pages CDN<br/>SLA: 99.9%]
        GHRepo[GitHub Repository<br/>main branch]
        
        GHCDN --> GHRepo
    end
    
    User --> Route53
    Route53 -->|Primary DNS| CF
    Route53 -.->|Failover DNS<br/>on health check failure| GHCDN
    
    style User fill:#e1f5ff,color:#000000
    style Route53 fill:#ff9800,color:#000000
    style CF fill:#4caf50,color:#000000
    style S3US fill:#2196f3,color:#ffffff
    style S3EU fill:#90caf9,color:#000000
    style GHCDN fill:#9c27b0,color:#ffffff
    style GHRepo fill:#673ab7,color:#ffffff

Availability Tiers

ComponentSLAMonthly DowntimeRedundancyStatus
AWS CloudFront99.9%43 minutes600+ edge locationsβœ… Primary
AWS S3 us-east-199.99%4.3 minutesMulti-AZ, versioningβœ… Primary
AWS S3 eu-west-199.99%4.3 minutesMulti-AZ, versioningβœ… Origin failover
GitHub Pages CDN99.9%43 minutesGlobal CDNβœ… DR failover
AWS Route 53100%0 minutes (SLA)Global anycast DNSβœ… Active-active

Composite Availability: 99.95%+ (accounting for dual-deployment failover)

Failover Scenarios

Failure ModeDetectionFailover MechanismRTORPOStatus
CloudFront Edge DegradationAutomatic (CloudFront routing)Route to nearest healthy edge<1 second0βœ… Automatic
S3 us-east-1 FailureCloudFront origin health (4xx/5xx)CloudFront fails over to S3 eu-west-1<30 seconds<15 minβœ… Automatic
AWS Region OutageRoute 53 health checks (3 failures)DNS failover to GitHub Pages<5 minutes<15 minβœ… Automatic
AWS Platform OutageRoute 53 health checks (3 failures)DNS failover to GitHub Pages<5 minutes<15 minβœ… Automatic
GitHub Pages DegradationNot applicable (DR only)N/A (AWS is primary)N/AN/AN/A

Recovery Objectives

MetricTargetActualNotes
RTO (Recovery Time Objective)<15 minutes<5 minutes (DNS failover)Time to restore service availability
RPO (Recovery Point Objective)<15 minutes<15 minutes (S3 replication)Maximum acceptable data loss
MTTR (Mean Time to Repair)<2 hoursVaries by issueTime to restore primary service
MTBF (Mean Time Between Failures)>720 hours (30 days)>2160 hours (90 days)Based on 99.9% SLA

Cross-Region Replication

Configuration:

  • Source: s3://riksdagsmonitor-us-east-1
  • Destination: s3://riksdagsmonitor-eu-west-1
  • Replication Mode: Asynchronous (near real-time)
  • Replication SLA: <15 minutes for 99.99% of objects
  • Replication Scope: All objects (HTML, CSS, JS, images, data files)

Replication Monitoring:

  • S3 Replication metrics in CloudWatch
  • Alert if replication lag >30 minutes
  • Daily verification of object count consistency

Disaster Recovery Testing

Test Schedule:

  • Monthly: Automated DNS failover test (non-production DNS record)
  • Quarterly: Full DR exercise with manual DNS failover to GitHub Pages
  • Annually: AWS region failure simulation (coordinated maintenance window)

Last DR Test: 2026-02-15 (GitHub Pages failover - Success, RTO: 4m 32s)
Next DR Test: 2026-05-15 (Full AWS→GitHub failover exercise)

ISO 27001: A.17.1 (Information security continuity), A.17.2 (Redundancies)
NIST CSF 2.0: RC.RP-1 (Recovery plan executed), RC.CO-3 (Recovery activities communicated)
CIS Controls v8.1: 11.1 (Establish and maintain data recovery), 11.5 (Establish and maintain an isolated recovery environment)


πŸ•΅οΈ Threat Detection & Investigation

Riksdagsmonitor implements comprehensive threat detection capabilities with defined investigation workflows.

Detection Capabilities

Threat CategoryDetection MethodToolsAlert SeverityStatus
Vulnerable DependenciesAutomated scanningDependabotCritical/High/Medium/Lowβœ… Active
Code VulnerabilitiesSAST analysisCodeQL (CWE-top 25)High/Medium/Lowβœ… Active
Exposed SecretsPattern matchingGitHub Secret ScanningCriticalβœ… Active
Supply Chain AttacksSBOM analysisAnchore + DependabotHighβœ… Active
Unauthorized AccessAuthentication logsGitHub Audit LogCriticalβœ… Active
Infrastructure AnomaliesMetrics analysisAWS CloudWatchMediumβœ… Active
DNS HijackingHealth checksRoute 53 monitoringCriticalβœ… Active
DDoS AttacksTraffic analysisAWS Shield StandardHighβœ… Active

Investigation Workflow

graph TB
    Alert[🚨 Security Alert Triggered]
    
    Alert --> Triage{Triage<br/>Is it valid?}
    
    Triage -->|False Positive| Dismiss[πŸ“ Document & Dismiss<br/>Update detection rules]
    Triage -->|Valid Threat| Assess{Assess<br/>Severity?}
    
    Assess -->|Critical| Immediate[πŸ”΄ Immediate Response<br/>24h SLA]
    Assess -->|High| Urgent[🟠 Urgent Response<br/>7d SLA]
    Assess -->|Medium| Scheduled[🟑 Scheduled Response<br/>30d SLA]
    Assess -->|Low| Backlog[🟒 Backlog<br/>90d SLA]
    
    Immediate --> Investigate
    Urgent --> Investigate
    Scheduled --> Investigate
    Backlog --> Investigate
    
    Investigate[πŸ” Investigate<br/>Scope & Impact] --> Contain[πŸ›‘οΈ Contain<br/>Limit damage]
    
    Contain --> Remediate[πŸ”§ Remediate<br/>Fix vulnerability]
    
    Remediate --> Verify[βœ… Verify<br/>Test fix]
    
    Verify --> Document[πŸ“„ Document<br/>Lessons learned]
    
    Document --> Close[βœ”οΈ Close Alert<br/>Update docs]
    
    Close --> Review{Requires<br/>Architecture Update?}
    
    Review -->|Yes| UpdateDocs[πŸ“ Update SECURITY_ARCHITECTURE.md<br/>and THREAT_MODEL.md]
    Review -->|No| End[🏁 End]
    
    UpdateDocs --> End
    Dismiss --> End
    
    style Alert fill:#ff6b6b,color:#000000
    style Immediate fill:#ff0000,color:#fff
    style Urgent fill:#ff6b6b,color:#000000
    style Scheduled fill:#ffd43b,color:#000000
    style Backlog fill:#51cf66,color:#000000
    style Contain fill:#4dabf7,color:#000000
    style Remediate fill:#da77f2,color:#000000
    style Verify fill:#20c997,color:#000000
    style End fill:#e9ecef,color:#000000

Investigation Procedures

1. Dependabot Vulnerability Alert

  • Trigger: New CVE affecting dependency
  • Investigation Steps:
    1. Review Dependabot alert details (CVSS score, affected versions, patch availability)
    2. Check if vulnerability is exploitable in Riksdagsmonitor context (e.g., unused code path)
    3. Assess impact to application functionality
    4. Verify patch availability and compatibility
  • Remediation: Accept Dependabot PR or manually update package.json / package-lock.json
  • Verification: Run npm audit, re-scan with Dependabot, test functionality
  • Documentation: Record the security fix in GitHub release notes and commit message

2. CodeQL Code Scanning Alert

  • Trigger: SAST finding in pull request or scheduled scan
  • Investigation Steps:
    1. Review CodeQL alert (CWE category, location, data flow)
    2. Analyze false positive likelihood (CodeQL has ~5-10% FP rate)
    3. Trace vulnerable code path from source to sink
    4. Assess exploitability (input vector, attacker control)
  • Remediation: Refactor code, add input validation, or dismiss if false positive with justification
  • Verification: Re-run CodeQL, confirm alert resolved
  • Documentation: If architecture change, update SECURITY_ARCHITECTURE.md

3. Secret Scanning Alert

  • Trigger: Pattern match for API key, token, or credential
  • Investigation Steps:
    1. Identify secret type and scope (GitHub token, AWS key, API key)
    2. Determine if secret is active or test/example data
    3. Check if secret has been used (GitHub audit log, AWS CloudTrail)
    4. Assess blast radius (what resources does secret access?)
  • Remediation: Rotate secret immediately, revoke old credential, update GitHub Secrets
  • Verification: Confirm old secret is revoked and new secret works
  • Documentation: Record incident in THREAT_MODEL.md, update access controls if needed

4. Infrastructure Anomaly (AWS)

  • Trigger: CloudWatch alarm (high error rate, latency spike, health check failure)
  • Investigation Steps:
    1. Check CloudFront metrics (error rates, cache hit ratio, origin latency)
    2. Review S3 access logs for suspicious patterns
    3. Analyze Route 53 query logs for DNS anomalies
    4. Check AWS CloudTrail for unauthorized API calls
  • Remediation: Varies by root cause (scale resources, fix configuration, block malicious IP)
  • Verification: Confirm metrics return to normal, health checks pass
  • Documentation: Update runbooks if new failure mode discovered

Threat Intelligence Sources

SourceTypeFrequencyPurpose
GitHub Security AdvisoriesCVE databaseReal-timeDependency vulnerabilities
NIST NVDCVE databaseDailyVulnerability research
OWASP Top 10Best practicesAnnualWeb application security
CWE Top 25Weakness patternsAnnualCode review focus areas
AWS Security BulletinsInfrastructure advisoriesReal-timeAWS-specific threats
MITRE ATT&CKThreat intelligenceQuarterlyThreat modeling (see THREAT_MODEL.md)

ISO 27001: A.16.1 (Management of information security incidents), A.12.4 (Logging and monitoring)
NIST CSF 2.0: DE.AE-2 (Detected events analyzed), DE.AE-5 (Incident alert thresholds established)
CIS Controls v8.1: 17.2 (Establish and maintain contact information), 17.4 (Establish and maintain incident response process)


πŸ”Ž Vulnerability Management

Riksdagsmonitor implements a risk-based vulnerability management program with defined Service Level Agreements (SLAs) for remediation.

Vulnerability Lifecycle

graph LR
    Detect[πŸ” Detect<br/>Scanner finds vulnerability] --> Triage{🎯 Triage<br/>Assess severity<br/>& exploitability}
    
    Triage -->|Critical| C[πŸ”΄ Critical<br/>24h SLA]
    Triage -->|High| H[🟠 High<br/>7d SLA]
    Triage -->|Medium| M[🟑 Medium<br/>30d SLA]
    Triage -->|Low| L[🟒 Low<br/>90d SLA]
    
    C --> Remediate[πŸ”§ Remediate<br/>Apply patch/fix]
    H --> Remediate
    M --> Remediate
    L --> Remediate
    
    Remediate --> Verify[βœ… Verify<br/>Re-scan & test]
    
    Verify --> Pass{Verification<br/>Passed?}
    
    Pass -->|Yes| Close[βœ”οΈ Close<br/>Document fix]
    Pass -->|No| Remediate
    
    Close --> Monitor[πŸ‘οΈ Monitor<br/>Continuous scanning]
    
    Monitor --> Detect
    
    style Detect fill:#4dabf7,color:#000000
    style C fill:#ff0000,color:#fff
    style H fill:#ff6b6b,color:#000000
    style M fill:#ffd43b,color:#000000
    style L fill:#51cf66,color:#000000
    style Remediate fill:#da77f2,color:#000000
    style Verify fill:#20c997,color:#000000
    style Close fill:#e9ecef,color:#000000

Remediation SLAs

SeverityCVSS ScoreResponse SLAFix SLAVerification SLATotal SLA
Critical9.0-10.04 hours20 hours4 hours24 hours
High7.0-8.924 hours5 days1 day7 days
Medium4.0-6.97 days21 days2 days30 days
Low0.1-3.930 days58 days2 days90 days

SLA Start: Clock starts when vulnerability is first detected by automated scanner or manually reported

SLA Pause Conditions:

  • Waiting for upstream patch (e.g., library maintainer)
  • Requires breaking change with deprecation period
  • Validated as false positive (requires CISO approval)

Severity Classification

Factors Considered:

  1. CVSS Base Score: Industry-standard severity metric
  2. Exploitability: Is there a known exploit? (EPSS score)
  3. Context: Is vulnerable code path reachable in Riksdagsmonitor?
  4. Impact: Confidentiality/Integrity/Availability impact
  5. Exposure: Public internet-facing vs. internal-only

Severity Adjustment Examples:

  • CVE-2024-12345 in lodash (CVSS 8.2 High): Downgraded to Medium if vulnerable function not used
  • CVE-2024-67890 in Chart.js (CVSS 5.5 Medium): Upgraded to High if actively exploited in the wild

Vulnerability Sources

ScannerTypeCoverageFrequencyStatus
DependabotSCA (Software Composition Analysis)npm packages, GitHub ActionsDailyβœ… Active
CodeQLSAST (Static Application Security Testing)JavaScript, HTMLEvery PR + weeklyβœ… Active
GitHub Secret ScanningCredential scanningGit history, new commitsEvery pushβœ… Active
npm auditSCAnpm packagesEvery CI runβœ… Active
Manual Code ReviewHuman reviewAll code changesEvery PRβœ… Active

Remediation Strategies

StrategyUse CaseProsConsPreference
Update DependencyPatch availableFast, low riskMay introduce breaking changes⭐⭐⭐⭐⭐ Preferred
Pin Older VersionPatch not available, regression riskStable, fastAccumulates technical debt⭐⭐ Last resort
Refactor CodeArchitectural issueEliminates root causeTime-consuming⭐⭐⭐⭐ Long-term fix
WorkaroundBlocking issue, patch unavailableUnblocks developmentTechnical debt⭐⭐⭐ Temporary
Accept RiskFalse positive, minimal impactNo work requiredRequires CISO approval⭐ Exception only

Patch Management Process

Automated Patching (Dependabot):

  1. Dependabot detects new patch version
  2. Dependabot opens PR with changelogs and test results
  3. CI/CD runs automated tests
  4. If tests pass, PR auto-merged (for minor/patch versions)
  5. If tests fail, manual review required

Manual Patching:

  1. Security team reviews vulnerability details
  2. Create fix branch: security/CVE-YYYY-NNNNN
  3. Apply fix (update dependency, refactor code, apply workaround)
  4. Run full test suite (unit + E2E)
  5. Record the security fix in GitHub release notes and commit message
  6. Create PR with "Security Fix" label
  7. Fast-track review (bypass normal review queue for Critical/High)
  8. Merge to main and deploy immediately

Zero-Day Response:

  1. CISO notified immediately (email + phone)
  2. Assess blast radius and exploitability
  3. If critical: Disable GitHub Pages temporarily (rollback to safe version)
  4. Apply emergency fix within 24h
  5. Deploy hotfix release (vX.Y.Z+1)
  6. Conduct post-incident review within 7 days

Metrics & Reporting

Key Performance Indicators (KPIs):

  • Mean Time to Detect (MTTD): <24 hours (target: real-time)
  • Mean Time to Remediate (MTTR): Varies by severity (see SLAs)
  • Vulnerability Backlog: <10 open vulnerabilities (target: <5)
  • SLA Compliance: >95% of vulnerabilities remediated within SLA
  • False Positive Rate: <10% (CodeQL findings dismissed as FP)

Monthly Security Report:

  • New vulnerabilities detected (by severity)
  • Vulnerabilities remediated (by SLA compliance)
  • Overdue vulnerabilities (exceeding SLA)
  • Dependency update velocity (patches/month)
  • False positive rate

ISO 27001: A.12.6 (Technical vulnerability management), A.14.2 (Security in development)
NIST CSF 2.0: PR.IP-12 (Vulnerability management plan), DE.CM-8 (Vulnerability scans performed)
CIS Controls v8.1: 7.1 (Establish a vulnerability management process), 7.2 (Establish a remediation process)


πŸ€– Automated Security Operations

Riksdagsmonitor leverages extensive automation to reduce manual security overhead and accelerate response times.

CI/CD Security Automation

AutomationToolTriggerActionsBenefit
Dependency UpdatesDependabotDaily scanCreate PRs for patches90% reduction in manual updates
Vulnerability ScanningCodeQLEvery PRSAST analysis, block merge if findings100% code coverage
Secret DetectionGitHub Secret ScanningEvery pushBlock push, alert security teamPrevents credential leaks
Build ProvenanceGitHub AttestationsEvery releaseGenerate SLSA attestationsSupply chain verification
SBOM GenerationAnchoreEvery releaseGenerate SPDX SBOMLicense compliance, vulnerability tracking
Workflow Hardeningstep-security/harden-runnerEvery workflowMonitor syscalls, network egressDetect supply chain attacks
Branch ProtectionGitHubEvery push to mainRequire reviews, status checksPrevent unauthorized changes

Dependabot Configuration

Dependabot is configured to automatically monitor and update both npm dependencies and GitHub Actions workflows, with daily checks for new versions and security patches. Minor and patch npm updates are grouped for reduced noise.

The authoritative configuration is maintained in .github/dependabot.yml. Refer to that file for the exact ecosystems, schedules, labels, groups, and other settings currently in effect.

Auto-Merge Policy:

  • Patch versions (X.Y.Z β†’ X.Y.Z+1): Auto-merge if CI passes
  • Minor versions (X.Y.Z β†’ X.Y+1.0): Manual review required
  • Major versions (X.Y.Z β†’ X+1.0.0): Manual review + architecture assessment

CodeQL Configuration

File: .github/workflows/codeql.yml

Query Suites:

  • GitHub default CodeQL query suite for JavaScript (security coverage aligned with OWASP/CWE/SANS)
  • Additional review for riksdagsmonitor-specific patterns as needed

Scan Frequency:

  • Pull Requests: Every PR (blocking check)
  • Scheduled: Every Monday 00:00 UTC (full repository scan, cron: 0 0 * * 1)
  • Manual: On-demand via workflow_dispatch

False Positive Management:

  • Dismissed alerts documented in the central security documentation (CodeQL dismissal log)
  • Requires CISO approval for dismissal
  • Automated re-opening if code changes in dismissed location

SLSA Build Provenance Workflow

File: .github/workflows/release.yml (Build job)

- name: Generate SLSA Build Provenance
  uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
  with:
    subject-path: 'riksdagsmonitor-*.zip'

Attestation Contents:

  • Build environment (GitHub Actions runner: ubuntu-latest)
  • Workflow identity (riksdagsmonitor/.github/workflows/release.yml)
  • Source commit SHA (git ref)
  • Builder identity (GitHub Actions OIDC token)
  • Build timestamp (RFC 3339)

step-security/harden-runner

Purpose: Monitor GitHub Actions workflow execution for supply chain attacks

Capabilities:

  • Syscall Monitoring: Detect unauthorized file access, process creation
  • Network Egress: Audit all outbound connections, block unexpected domains
  • Threat Intelligence: Compare actions against known malicious patterns

Configuration (every workflow):

- name: Harden Runner
  uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
  with:
    egress-policy: audit  # Log all network egress (block mode planned 2027 Q2)
    allowed-endpoints: >
      github.com:443
      api.github.com:443
      raw.githubusercontent.com:443
      registry.npmjs.org:443
      data.imf.org:443
      api.imf.org:443
      www.imf.org:443

Security Automation Metrics

MetricCurrentTargetStatus
Automated Vulnerability Detection100%100%βœ… Met
Dependabot PR Merge Rate85%90%🟑 Improving
CodeQL False Positive Rate8%<10%βœ… Met
Mean Time to Deploy Security Patch2.5 hours<4 hoursβœ… Met
Manual Security Tasks2 hours/week<1 hour/week🟑 Improving

ROI of Automation:

  • Manual effort saved: ~15 hours/week (previously: 17 hours/week manual security tasks)
  • Faster response: 90% reduction in time to deploy security patches (24h β†’ 2.5h)
  • Improved coverage: 100% code scanning (previously: ad-hoc manual reviews)

ISO 27001: A.14.2 (Security in development and support), A.12.1 (Operational procedures)
NIST CSF 2.0: PR.IP-1 (Configuration baseline established), PR.IP-12 (Vulnerability management)
CIS Controls v8.1: 16.1 (Secure application development), 16.9 (Separate production and non-production environments)


⚑ Resilience & Operational Readiness

Riksdagsmonitor maintains operational resilience through comprehensive business continuity planning, disaster recovery testing, and operational runbooks.

Recovery Objectives Summary

ObjectiveTargetActualStatus
RTO (Recovery Time Objective)<15 minutes<5 minutes (DNS failover)βœ… Exceeds target
RPO (Recovery Point Objective)<15 minutes<15 minutes (S3 replication)βœ… Meets target
MTTR (Mean Time to Repair)<2 hours1.2 hours (average)βœ… Exceeds target
Availability SLA99.9%99.95% (measured)βœ… Exceeds target

Business Continuity Plan (BCP)

Scope: Ensure continuity of Riksdagsmonitor service during disruptions (technical failures, security incidents, natural disasters)

Critical Business Functions:

  1. Website Availability: Serve content to users (RTO: <15 minutes)
  2. Content Updates: Deploy new content/fixes (RTO: <2 hours)
  3. Security Monitoring: Detect and respond to threats (RTO: <1 hour)

BCP Scenarios:

ScenarioLikelihoodImpactResponse StrategyRTOStatus
AWS Region OutageLow (1/year)HighAutomatic DNS failover to GitHub Pages<5 minβœ… Tested
GitHub Platform OutageLow (1/year)MediumAWS primary continues serving traffic0 minβœ… Tested
DDoS AttackMedium (4/year)MediumAWS Shield + CloudFront absorption<1 minβœ… Active
Security BreachLow (1/year)HighIncident response plan (Β§2.7)<1 hourβœ… Ready
Key Personnel UnavailableMediumLowDocumentation + on-call rotation<24 hoursβœ… Ready
Credential CompromiseLowHighRevoke + rotate + audit<4 hoursβœ… Ready

BCP Testing Schedule:

  • Tabletop Exercise: Quarterly (next: 2026-03-15)
  • DR Failover Test: Quarterly (next: 2026-05-15)
  • Full BCP Exercise: Annually (next: 2026-08-15)

For complete BCP documentation, see BCPPlan.md.

Disaster Recovery Testing

Last DR Test Results (2026-02-15):

  • Test Type: AWS β†’ GitHub Pages failover
  • Trigger: Manual DNS record change (simulated Route 53 health check failure)
  • RTO Achieved: 4 minutes 32 seconds
  • Issues Found: None
  • Lessons Learned: None (test successful)

Next DR Test (2026-05-15):

  • Test Type: Full AWS region failure simulation
  • Scope: Simulate us-east-1 S3 bucket deletion
  • Expected RTO: <5 minutes (CloudFront β†’ S3 eu-west-1 β†’ GitHub Pages)
  • Rollback Plan: Restore from S3 versioning or GitHub repository

Operational Runbooks

RunbookPurposeLocationLast Updated
Deployment RunbookDeploy new releasesRELEASE_PROCESS.md2026-02-18
Incident Response RunbookRespond to security incidentsΒ§2.7 + THREAT_MODEL.md2026-02-20
DR Failover RunbookFail over to GitHub PagesEmbedded in Route 53 health checks2026-02-10
Vulnerability Response RunbookRemediate vulnerabilitiesΒ§Vulnerability Management2026-02-20
Rollback RunbookRevert bad deploymentsWORKFLOWS.md2026-02-18

On-Call & Escalation

On-Call Rotation: Not applicable (solo maintainer, automated monitoring)

Escalation Path:

  1. Automated Alerts β†’ Email/PagerDuty β†’ James Pether SΓΆrling (CISO)
  2. Critical Incidents (CVSS β‰₯9.0, service outage) β†’ Immediate phone call
  3. Business Hours (09:00-17:00 CET) β†’ Email response within 2 hours
  4. After Hours β†’ PagerDuty alert β†’ Response within 1 hour

Contact Information:

  • CISO: James Pether SΓΆrling (james@hack23.com)
  • Backup: Hack23 AB organizational admins
  • Emergency: PagerDuty integration (Critical alerts only)

Operational Metrics

Service Level Indicators (SLIs):

  • Availability: 99.95% (measured via Route 53 health checks + CloudWatch)
  • Latency (p95): <200ms (CloudFront edge response time)
  • Error Rate: <0.1% (CloudFront 5xx error rate)
  • Data Loss: 0 incidents (S3 cross-region replication + versioning)

Operational Performance (Last 90 Days):

  • Availability: 99.98% (6 minutes unplanned downtime)
  • Incidents: 2 (1 planned maintenance, 1 CloudFront edge degradation)
  • Security Alerts: 47 (45 Dependabot, 2 CodeQL)
  • Deployments: 12 releases (average: 1 per week)

ISO 27001: A.17.1 (Information security continuity), A.17.2 (Redundancies)
NIST CSF 2.0: RC.RP-1 (Recovery plan executed), RC.CO-3 (Recovery activities communicated)
CIS Controls v8.1: 11.1 (Data recovery capability), 11.3 (Protect recovery data)


πŸ“‹ Configuration & Compliance Management

Riksdagsmonitor implements Infrastructure as Code (IaC) principles using GitHub Actions workflows and enforces configuration compliance through automated policies.

Infrastructure as Code (IaC)

Philosophy: All infrastructure configuration managed through version-controlled code (GitHub Actions workflows, CloudFormation templates).

ComponentIaC ToolSourceDrift DetectionStatus
GitHub Actions WorkflowsYAML.github/workflows/*.ymlGit version controlβœ… Managed
AWS S3 BucketsAWS CLI (scripted).github/workflows/deploy-aws.ymlManual audit🟑 Scripted
AWS CloudFrontAWS Console (manual)N/AManual auditπŸ”΄ Manual
AWS Route 53AWS Console (manual)N/AManual auditπŸ”΄ Manual
Branch Protection RulesGitHub UIDocumented in CONTRIBUTING.mdManual audit🟑 Documented
Dependabot ConfigurationYAML.github/dependabot.ymlGit version controlβœ… Managed

Roadmap (2027 Q2): Migrate AWS CloudFront + Route 53 to Terraform for full IaC management.

GitHub Branch Protection Rules

Applied to: main branch

RuleConfigurationPurposeStatus
Require Pull Request1 approving reviewPrevent direct pushesβœ… Enforced
Require Status ChecksCodeQL, tests, buildEnsure quality gates passβœ… Enforced
Require Signed CommitsGPG signing mandatoryVerify commit authenticityβœ… Enforced
Dismiss Stale ReviewsOn new commitsRequire re-review after changesβœ… Enforced
Restrict PushesAdmins only bypassPrevent accidental force pushesβœ… Enforced
Require Linear HistoryNo merge commitsMaintain clean git historyβœ… Enforced

Audit Frequency: Quarterly review of branch protection rules (next: 2026-05-01)

Configuration Drift Detection

Manual Audit Process (Quarterly):

  1. Export current AWS configurations (S3 bucket policies, CloudFront distributions, Route 53 records)
  2. Compare against documented baseline (Β§1.2, Β§1.3)
  3. Document deviations in ARCHITECTURE.md
  4. Remediate unauthorized changes within 7 days

Last Configuration Audit: 2026-02-10 (No drift detected)
Next Configuration Audit: 2026-05-10

Automated Drift Detection (Planned 2027 Q2):

  • AWS Config service to monitor S3/CloudFront/Route 53 changes
  • CloudWatch Events to alert on configuration changes
  • Terraform state file to detect drift

Compliance Monitoring

Continuous Compliance Checks:

Compliance RequirementVerification MethodFrequencyStatus
MFA EnforcedGitHub organization auditReal-timeβœ… Automated
GPG Signing RequiredGitHub branch protectionReal-time (per commit)βœ… Automated
Dependency VulnerabilitiesDependabotDailyβœ… Automated
Code VulnerabilitiesCodeQLEvery PR + weeklyβœ… Automated
TLS 1.3 EnforcedCloudFront configurationQuarterly audit🟑 Manual
HSTS HeadersHTTP response headers checkQuarterly audit🟑 Manual
Access Control ReviewGitHub audit log reviewQuarterly🟑 Manual

Compliance Dashboard: GitHub Security tab provides real-time compliance status for Dependabot, CodeQL, and Secret Scanning.

Change Management

Change Types:

Change TypeApproval RequiredTesting RequiredRollback PlanExamples
Standard1 reviewerUnit + E2E testsGit revertBug fixes, content updates
Significant2 reviewersFull test suite + manual QAGit revert + re-deployFeature additions, dependency major upgrades
EmergencyCISO post-approvalBasic smoke tests onlyGit revert + hotfixCritical security patches, service outages

Emergency Change Process:

  1. CISO authorizes emergency change (verbal approval acceptable)
  2. Deploy fix immediately (bypass normal review process)
  3. Document change in post-incident review (within 24 hours)
  4. Formal approval added retroactively to PR

Change Advisory Board (CAB): Not applicable (solo maintainer). For multi-maintainer projects, CAB would meet monthly to review significant changes.

ISO 27001: A.8.32 (Change management), A.12.1 (Operational procedures)
NIST CSF 2.0: PR.IP-1 (Configuration baseline), PR.IP-3 (Change control processes)
CIS Controls v8.1: 4.1 (Configuration baseline), 4.2 (Secure configuration implementation)


πŸ“Š Monitoring & Analytics

Riksdagsmonitor implements comprehensive monitoring across infrastructure, application, and security dimensions.

AWS CloudWatch Monitoring

Metrics Dashboard:

MetricThresholdAlert ActionPurpose
CloudFront 5xx Error Rate>5% for 5 minPagerDuty alertDetect origin failures
CloudFront Cache Hit Ratio<80% for 10 minEmail alertIdentify cache inefficiency
S3 Replication Lag>30 minutesEmail alertEnsure DR readiness
Route 53 Health Check3 consecutive failuresAutomatic DNS failoverFailover to GitHub Pages
S3 Bucket Size>10 GBEmail alert (informational)Monitor storage growth

Log Retention:

  • CloudFront Access Logs: 90 days (S3 bucket: riksdagsmonitor-logs-cloudfront)
  • S3 Access Logs: 90 days (S3 bucket: riksdagsmonitor-logs-s3)
  • CloudTrail Logs: 90 days (S3 bucket: riksdagsmonitor-logs-cloudtrail)

Log Analysis:

  • Automated: CloudWatch Insights queries for anomaly detection (high 5xx rates, unusual geographic traffic)
  • Manual: Quarterly log review for security incidents, access patterns, optimization opportunities

GitHub Audit Logging

Audit Scope:

  • Organization-level access (user additions, permission changes)
  • Repository-level access (clone, push, pull requests)
  • Actions workflow execution (workflow runs, secrets access)
  • Security events (failed authentication, secret scanning alerts)

Audit Retention: 90 days (GitHub Free), 180 days (GitHub Enterprise - if upgraded)

Audit Review Process:

  • Automated: GitHub Security dashboard for real-time alerts
  • Manual: Quarterly audit log review for anomalous access patterns

Security Metrics Dashboard

Key Security Metrics (Updated Monthly):

MetricCurrentTargetTrendStatus
Open Vulnerabilities3<5↓ Decreasingβœ… Good
Mean Time to Remediate (MTTR)2.5 days<7 days↓ Improvingβœ… Good
Dependabot PR Merge Rate85%>90%↑ Increasing🟑 Improving
CodeQL False Positive Rate8%<10%β†’ Stableβœ… Good
Security Incidents0 (last 90 days)0β†’ Stableβœ… Good
Availability (SLA)99.98%>99.9%↑ Exceedingβœ… Excellent

Security Score (OpenSSF Scorecard): ~8.2/10 (estimated; run gh api repos/Hack23/riksdagsmonitor/properties/values or OpenSSF Scorecard CLI for current value)

  • Maintained: βœ… (active commits in last 90 days)
  • Vulnerabilities: βœ… (no known vulnerabilities)
  • Signed Releases: βœ… (SLSA attestations)
  • Branch Protection: βœ… (enforced on main)
  • Dangerous Workflows: βœ… (no dangerous patterns)

Performance Monitoring

User Experience Metrics (Real User Monitoring via CloudFront):

Metricp50p95p99TargetStatus
Time to First Byte (TTFB)45ms120ms280ms<200ms (p95)βœ… Met
Page Load Time850ms1.8s3.2s<2s (p95)βœ… Met
Cache Hit Ratio92%N/AN/A>85%βœ… Met
Data Transfer (monthly)12 GBN/AN/A<100 GB (free tier)βœ… Met

Synthetic Monitoring (Planned 2027 Q2):

  • Uptime Robot or Pingdom for external availability checks
  • Lighthouse CI for performance regression detection

Cost Monitoring

AWS Monthly Costs (Projected):

  • CloudFront: $8-12 (1 GB data transfer out)
  • S3 Storage: $1-2 (50 GB storage)
  • S3 Requests: $0.50 (100k GET requests)
  • Route 53: $0.50 (1 hosted zone)
  • CloudTrail: $0 (free tier: 1 trail)
  • Total: ~$10-15/month (well within free tier limits)

Cost Optimization:

  • CloudFront cache hit ratio >90% reduces origin requests
  • S3 Intelligent-Tiering (planned 2027 Q2) for infrequently accessed objects
  • Lifecycle policies to delete old logs after 90 days

Analytics & Insights

Website Analytics: Not implemented (privacy-first approach, no user tracking)

Traffic Insights (CloudFront Access Logs):

  • Daily Visitors: ~500-1000 unique IPs
  • Geographic Distribution: 80% Sweden, 10% EU, 10% Other
  • Peak Traffic: Weekdays 09:00-17:00 CET (Riksdag working hours)

ISO 27001: A.12.4 (Logging and monitoring)
NIST CSF 2.0: DE.CM-1 (Network monitored), DE.CM-7 (Monitoring for unauthorized activity)
CIS Controls v8.1: 8.2 (Collect audit logs), 8.5 (Collect detailed audit logs)


πŸ”„ Security Operations

Riksdagsmonitor implements structured security operations with defined procedures, responsibilities, and continuous improvement processes.

Security Operations Center (SOC) Model

Operational Model: Single-person SOC (CISO), augmented with automated monitoring and alerting

Operating Hours:

  • Business Hours (09:00-17:00 CET): Active monitoring, <2 hour response time
  • After Hours: Automated monitoring, PagerDuty alerts for Critical events, <1 hour response time
  • Weekends: Automated monitoring, email alerts, <4 hour response time (Critical only)

On-Call Coverage: Not applicable (solo maintainer, automated incident detection)

Security Operations Workflows

graph TB
    Monitor[πŸ“Š Continuous Monitoring<br/>Dependabot, CodeQL, CloudWatch]
    
    Monitor --> Detect{πŸ” Security Event<br/>Detected?}
    
    Detect -->|No| Monitor
    Detect -->|Yes| Alert[🚨 Generate Alert<br/>Email/PagerDuty]
    
    Alert --> Classify{🎯 Classify Severity<br/>Critical/High/Medium/Low}
    
    Classify -->|Critical| Immediate[πŸ”΄ Immediate Response<br/>CISO notified<br/>24h SLA]
    Classify -->|High| Urgent[🟠 Urgent Response<br/>Email alert<br/>7d SLA]
    Classify -->|Medium| Standard[🟑 Standard Response<br/>Email digest<br/>30d SLA]
    Classify -->|Low| Routine[🟒 Routine Response<br/>Monthly review<br/>90d SLA]
    
    Immediate --> Investigate[πŸ”¬ Investigate<br/>Root cause analysis]
    Urgent --> Investigate
    Standard --> Investigate
    Routine --> Investigate
    
    Investigate --> Respond[πŸ›‘οΈ Respond<br/>Contain, remediate, verify]
    
    Respond --> Document[πŸ“ Document<br/>Update THREAT_MODEL.md]
    
    Document --> Review[πŸ”„ Post-Incident Review<br/>Lessons learned]
    
    Review --> Improve[⚑ Improve<br/>Update procedures/controls]
    
    Improve --> Monitor
    
    style Monitor fill:#4dabf7,color:#000000
    style Alert fill:#ff6b6b,color:#000000
    style Immediate fill:#ff0000,color:#fff
    style Urgent fill:#ff6b6b,color:#000000
    style Standard fill:#ffd43b,color:#000000
    style Routine fill:#51cf66,color:#000000
    style Investigate fill:#da77f2,color:#000000
    style Respond fill:#20c997,color:#000000
    style Document fill:#868e96,color:#000000
    style Review fill:#e9ecef,color:#000000
    style Improve fill:#51cf66,color:#000000

Operational Procedures

ProcedureFrequencyResponsibleLast ExecutedNext Scheduled
Vulnerability ScanningDaily (automated)Dependabot2026-02-202026-02-21
Code ScanningEvery PR + weeklyCodeQL2026-02-192026-02-26
Security Alert TriageDailyCISO2026-02-202026-02-21
Access Control ReviewQuarterlyCISO2026-02-012026-05-01
Configuration AuditQuarterlyCISO2026-02-102026-05-10
DR Failover TestQuarterlyCISO2026-02-152026-05-15
Incident Response DrillAnnuallyCISO2025-08-152026-08-15
Security Architecture ReviewAnnuallyCISO + CEO2026-02-202027-02-20

Security Review Cadence

Daily:

  • Review Dependabot alerts (5 minutes)
  • Check GitHub Security dashboard (2 minutes)

Weekly:

  • Review CodeQL findings from scheduled scan (15 minutes)
  • Triage and assign vulnerability remediation (30 minutes)

Monthly:

  • Review security metrics dashboard (30 minutes)
  • Analyze AWS CloudWatch alarms (15 minutes)
  • Update security documentation if needed (1 hour)

Quarterly:

  • Access control review (GitHub permissions, AWS IAM) (2 hours)
  • Configuration audit (AWS, GitHub settings) (2 hours)
  • DR failover test (1 hour)
  • THREAT_MODEL.md update (2 hours)

Annually:

  • Full security architecture review (8 hours)
  • SECURITY_ARCHITECTURE.md update (4 hours)
  • FUTURE_SECURITY_ARCHITECTURE.md update (2 hours)
  • Incident response drill (3 hours)

Continuous Improvement Process

Lessons Learned (After Every Incident):

  1. Conduct post-incident review within 7 days of resolution
  2. Document root cause, timeline, and impact in incident report
  3. Identify preventive measures (controls, monitoring, procedures)
  4. Update relevant documentation (SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, runbooks)
  5. Track improvement actions to completion

Security Metrics Review (Monthly):

  1. Analyze trends in vulnerability backlog, MTTR, SLA compliance
  2. Identify areas for improvement (e.g., reduce CodeQL false positives)
  3. Adjust security automation (e.g., tune Dependabot PR frequency)
  4. Report to CEO/CISO on security posture

Threat Landscape Monitoring (Quarterly):

  1. Review industry threat intelligence (OWASP, NIST, CISA)
  2. Assess applicability to Riksdagsmonitor (e.g., new attack vectors for static sites)
  3. Update THREAT_MODEL.md with new threats
  4. Implement additional controls if needed

ISO 27001: A.16.1 (Incident management), A.12.1 (Operational procedures)
NIST CSF 2.0: DE.AE-5 (Incident alert thresholds), RS.AN-5 (Processes established for receiving, analyzing, and responding)
CIS Controls v8.1: 17.1 (Designate incident handling personnel), 17.9 (Establish incident scoring and prioritization schema)


πŸ’° Security Investment

Riksdagsmonitor achieves robust security posture with minimal financial investment by leveraging zero-cost security controls and cloud platform free tiers.

Cost Breakdown

CategoryTool/ServiceMonthly CostAnnual CostNotes
Code ScanningCodeQL (GitHub native)$0$0Free for public repos
Dependency ScanningDependabot (GitHub native)$0$0Free for public repos
Secret ScanningGitHub Secret Scanning$0$0Free for public repos
CI/CDGitHub Actions$0$0Free tier: 2000 min/month (sufficient)
Primary HostingAWS CloudFront + S3$10-15$120-180Mostly within free tier
DR HostingGitHub Pages$0$0Free for public repos
DNSAWS Route 53$0.50$61 hosted zone
DDoS ProtectionAWS Shield Standard$0$0Included with CloudFront
MonitoringAWS CloudWatch$0$0Free tier: 10 metrics, 1 million API requests
Audit LoggingAWS CloudTrail$0$0Free tier: 1 trail
SLSA AttestationsGitHub Attestations$0$0Native GitHub feature
SBOM GenerationAnchore SBOM Action$0$0Open source
Workflow Hardeningstep-security/harden-runner$0$0Free tier
Total$10-15$126-186Minimal investment

Zero-Cost Security Controls

GitHub Native Security Features (All Free):

  1. βœ… Dependabot: Automated dependency vulnerability scanning and patching
  2. βœ… CodeQL: SAST code scanning (JavaScript, HTML)
  3. βœ… Secret Scanning: Detect exposed credentials in code
  4. βœ… Security Advisories: CVE notifications and tracking
  5. βœ… Branch Protection: Enforce code review and status checks
  6. βœ… GPG Commit Signing: Cryptographic commit verification
  7. βœ… Audit Log: Track access and changes (90-day retention)
  8. βœ… Attestations: SLSA build provenance and SBOM signing
  9. βœ… OWASP ZAP DAST: Weekly + on-demand active scans against production via .github/workflows/zap-scan.yml (rules baseline .zap/rules.tsv); artifacts retained 90 days. Maps to ISO 27001 A.8.29 / NIST CSF DE.CM-08 / CIS Control 18.

AWS Free Tier Security Features:

  1. βœ… Shield Standard: DDoS protection for CloudFront
  2. βœ… S3 Encryption: AES-256 at rest (no additional cost)
  3. βœ… CloudTrail: API audit logging (1 trail free)
  4. βœ… CloudWatch: Basic monitoring (10 metrics free)
  5. βœ… IAM: Identity and access management (always free)
  6. βœ… S3 Versioning: Rollback capability (storage cost only)

ROI of Security Automation

Manual Effort Avoided (Per Year):

  • Dependency Updates: 52 weeks Γ— 2 hours = 104 hours (automated by Dependabot)
  • Vulnerability Scanning: 52 weeks Γ— 1 hour = 52 hours (automated by CodeQL + Dependabot)
  • Security Monitoring: 365 days Γ— 0.5 hours = 182.5 hours (automated by GitHub Security dashboard)
  • Total Manual Effort Saved: 338.5 hours/year β‰ˆ $16,925/year (at $50/hour developer rate)

Risk Reduction:

  • Data Breach Avoidance: Estimated $100,000+ cost (notification, investigation, reputation damage) - prevented by defense-in-depth
  • Downtime Avoidance: 99.95% uptime = 4.4 hours/year downtime (vs. 99% = 87.6 hours) - saved by dual-deployment
  • Compliance Cost: $0 (vs. $10,000-50,000 for manual compliance audits) - automated compliance mapping

Total Annual ROI: >$16,925 labor savings + risk avoidance for only $126-186/year investment = >9000% ROI

Future Security Investments (Planned)

InvestmentPurposeEstimated CostTimelineROI
AWS WAFRate limiting, advanced application protection$5-10/month2027 Q2Prevent scraping, abuse
TerraformFull IaC for AWS infrastructure$0 (tool free)2027 Q2Reduce config drift, improve repeatability
Synthetic MonitoringExternal uptime checks (Uptime Robot)$0 (free tier)2027 Q2Faster outage detection
GitHub EnterpriseAdvanced audit logging (180-day retention)$21/user/month2028Extended compliance visibility

Total Planned Investment: $60-120/year additional (2027+)

Cost Optimization Strategies

  1. CloudFront Cache Optimization: 92% cache hit ratio reduces S3 requests by 92% (saves ~$5/month)
  2. S3 Lifecycle Policies: Delete CloudFront logs after 90 days (saves ~$2/month)
  3. S3 Intelligent-Tiering: Automatically move infrequently accessed objects to cheaper storage (planned 2027 Q2, saves ~$5/month)
  4. GitHub Actions Caching: Reduce build times by 50% (saves runner minutes, keeps within free tier)

ISO 27001: A.5.23 (Information security for use of cloud services)
NIST CSF 2.0: ID.BE-3 (Priorities for organizational mission, objectives, and activities are established)
CIS Controls v8.1: N/A (Cost optimization is not directly mapped to security controls)


πŸ“ Conclusion

Riksdagsmonitor demonstrates that robust security is achievable for static websites through defense-in-depth architecture, comprehensive automation, and zero-cost security controls.

Security Posture Summary

βœ… Strong Security Controls:

  • Multi-layered defense (6 layers: Network β†’ Application β†’ Access β†’ Data β†’ CI/CD β†’ Monitoring)
  • 100% code scanning coverage (CodeQL + Dependabot)
  • SLSA Level 2+ supply chain security
  • Dual-deployment with automatic failover (99.95% availability)
  • <24 hour vulnerability detection and remediation (Critical/High)

βœ… Compliance Excellence:

  • ISO 27001:2022 Annex A controls fully mapped and implemented
  • NIST CSF 2.0 six-function framework aligned
  • CIS Controls v8.1 Implementation Group 1-2 coverage
  • OpenSSF Scorecard: 8.2/10 (above industry average)

βœ… Operational Efficiency:

  • 90% reduction in manual security tasks (338.5 hours/year saved)
  • <5 minute RTO for disaster recovery
  • $10-15/month operational cost (<$200/year)
  • 9000% ROI on security investment

βœ… Continuous Improvement:

  • Quarterly threat model updates
  • Annual security architecture reviews
  • Automated dependency updates (daily)
  • Incident-driven control enhancements

Security Maturity Level

Current Maturity: Level 4 - Managed and Measurable (out of 5)

Maturity Assessment:

  • βœ… Level 1 (Initial): Security controls exist
  • βœ… Level 2 (Repeatable): Documented procedures and policies
  • βœ… Level 3 (Defined): Standardized and integrated security processes
  • βœ… Level 4 (Managed): Quantitatively managed with metrics and KPIs
  • 🎯 Level 5 (Optimizing): Continuous improvement with threat intelligence integration (roadmap: 2027)

Future Security Roadmap

2027 Q2:

  • Implement AWS WAF for rate limiting and advanced application protection
  • Migrate to full IaC (Terraform) for AWS infrastructure
  • Implement nonce-based CSP for stricter inline script control
  • Add synthetic monitoring for external availability checks

2027 Q4:

  • Integrate MITRE ATT&CK framework for threat modeling
  • Implement Security Information and Event Management (SIEM) correlation
  • Achieve Level 5 security maturity (Optimizing)

2028:

  • Explore GitHub Enterprise for extended audit logging
  • Expand OWASP ZAP DAST coverage to per-PR scans against npm run preview (current scope: weekly + on-demand against production β€” see .github/workflows/zap-scan.yml)
  • Achieve SLSA Level 3 (hermetic builds with ephemeral environments)

Commitment to Security

Hack23 AB is committed to maintaining the highest security standards for Riksdagsmonitor as a public service for Swedish democratic transparency. Security is not a checkbox but a continuous journey of improvement, adaptation, and vigilance.

Security Contact: security@hack23.com
Responsible Disclosure: See SECURITY.md for vulnerability reporting procedures.



Section A: NIS2 Directive Compliance Mapping

NIS2 Directive (EU) 2022/2555 β€” Applicability Assessment

Riksdagsmonitor operates as a civic technology platform providing parliamentary transparency services. As a non-commercial platform operated by a micro-enterprise (Hack23 AB, single employee), Riksdagsmonitor falls under the general applicability provisions of NIS2 but is likely below the threshold for mandatory compliance as a "medium enterprise" (50+ employees or €10M+ turnover required for essential/important entity designation).

However, Hack23 AB voluntarily maps to NIS2 requirements as a best practice and client readiness demonstration.

NIS2 ArticleRequirementImplementationEvidenceStatus
Art. 20Governance - Management bodies must approve and oversee cybersecurity measures and take cybersecurity trainingCEO (James P. SΓΆrling) personally approves all security architecture. Annual ISMS review. CISSP-equivalent knowledge maintainedSECURITY_ARCHITECTURE.md CEO sign-off, annual review recordCOMPLIANT
Art. 21(1)Appropriate technical and organizational measures based on risk assessmentRisk-based approach documented in THREAT_MODEL.md. Defense-in-depth with 6 layers. STRIDE analysis. Regular risk reviewsTHREAT_MODEL.md, SECURITY_ARCHITECTURE.md, Risk Register (ISMS-PUBLIC)COMPLIANT
Art. 21(2)(a)Risk analysis and information system security policiesInformation Security Policy (ISMS-PUBLIC). SECURITY_ARCHITECTURE.md as operational security policy. Annual review cycleInformation_Security_Policy.md, SECURITY_ARCHITECTURE.md v2.1COMPLIANT
Art. 21(2)(b)Incident handling including detection, response, and notificationBCPPlan.md with 3 IR playbooks. ISMS Incident Response Plan. GitHub Security Advisories. Alert monitoringBCPPlan.md IR Playbooks IR-PB-001/002/003, ISMS IRPCOMPLIANT
Art. 21(2)(c)Business continuity including backup management, disaster recovery, crisis managementDual-deployment (CloudFront + GitHub Pages). S3 multi-region replication. RTO <30s (origin), <15min (DNS). BCPPlan.mdBCPPlan.md, AWS multi-region S3 config, Route 53 health checksCOMPLIANT
Art. 21(2)(d)Supply chain security including third-party servicesDependabot monitors all npm dependencies. GitHub Actions third-party action pinning. step-security/harden-runner. Third Party Management Policy (ISMS-PUBLIC)Third_Party_Management.md, Dependabot config, pinned action SHAsCOMPLIANT
Art. 21(2)(e)Security in network and information systems acquisition, development and maintenanceSecure development policy (ISMS-PUBLIC). CodeQL SAST in every PR. SLSA provenance. Dependency review gatesSecure_Development_Policy.md, GitHub Actions YAML, SLSA attestationCOMPLIANT
Art. 21(2)(f)Policies and procedures to assess effectiveness of measuresOpenSSF Scorecard monthly monitoring (8.2/10). Security metrics tracked (MTTP, scan pass rates). Annual security architecture reviewOpenSSF Scorecard badge, Security_Metrics.md (ISMS-PUBLIC), Git commit historyCOMPLIANT
Art. 21(2)(g)Basic cyber hygiene practices and cybersecurity trainingCEO maintains up-to-date security knowledge. ISMS documentation current. All ISMS policies reviewed annually. GitHub security advisories reviewed weeklyPolicy review dates in ISMS, security training evidenceCOMPLIANT
Art. 21(2)(h)Cryptography policies including encryptionCryptography Policy (ISMS-PUBLIC). TLS 1.3 enforced. HSTS preloaded. SHA-256 for integrity. Sigstore for signing. No weak ciphersCryptography_Policy.md, CloudFront TLS configuration, HSTS headerCOMPLIANT
Art. 21(2)(i)Human resources security, access control, and asset managementSingle-person company. All access controlled via GitHub and AWS IAM. Asset Register maintained (ISMS-PUBLIC). Access Control PolicyAccess_Control_Policy.md, Asset_Register.md, GitHub access controlsCOMPLIANT
Art. 21(2)(j)Multi-factor authentication or continuous authentication solutionsGitHub account secured with MFA. AWS root account secured with hardware MFA. GitHub repository requires authenticated writes. SSH key required for Git operationsGitHub MFA enforcement settings, AWS MFA device attachmentCOMPLIANT
Art. 23Significant incident reporting to competent authority within 24h (initial) / 72h (full)Incident Response Plan includes NIS2 assessment step. BCPPlan.md IR playbooks include NIS2 notification requirement. Competent authority: Swedish NCSC (NCSC.SE)BCPPlan.md Section on NIS2 assessment, ISMS IRP notification procedureCOMPLIANT β€” procedure documented
Art. 25Standardization β€” use of European and international standardsISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1 alignment. EU CRA conformity. SLSA supply chain standardsSECURITY_ARCHITECTURE.md framework mappings, CRA-ASSESSMENT.mdCOMPLIANT
Art. 32Supervisory measures for essential entitiesNot applicable β€” Hack23 AB below essential entity threshold. Voluntary compliance demonstratedEntity size assessment (micro-enterprise)NOT APPLICABLE β€” voluntary
Art. 33Supervisory measures for important entitiesNot applicable β€” Hack23 AB below important entity thresholdEntity size assessment (micro-enterprise)NOT APPLICABLE β€” voluntary

Section B: OWASP LLM Top 10 Mitigations for MCP Pipeline

This section maps all 10 OWASP Top 10 for Large Language Model Applications risks to the Riksdagsmonitor MCP content generation pipeline.

OWASP LLM RiskRisk DescriptionRiksdagsmonitor MitigationImplementationRisk Level
LLM01: Prompt InjectionMalicious content in retrieved data manipulates LLM behaviorriksdag-regering-mcp fetches only structured JSON from authenticated riksdag.se API. MCP tool outputs are data objects, not raw text. Prompt template is version-controlled and reviewed. User input never included in promptsStructured data pipeline, no free-text user input, prompt templates in GitLOW
LLM02: Insecure Output HandlingLLM output injected into downstream systems without sanitizationAll LLM-generated HTML is validated by HTMLHint before merge. Content Security Policy headers prevent XSS execution. Output encoding applied. Human reviewer inspects content before publicationHTMLHint validation, CSP headers, human review gate, PR review requiredMEDIUM β€” human review mitigates
LLM03: Training Data PoisoningManipulated training data causes malicious model behaviorRiksdagsmonitor uses GitHub Copilot-hosted Claude Sonnet 4.6 models (not self-trained). Anthropic provides model-level safety measures. Model selection from trusted providerGitHub Copilot engine, Anthropic safety training, no fine-tuning on riksdag dataLOW
LLM04: Model Denial of ServiceExcessive resource consumption through crafted inputsGitHub Actions MCP jobs have timeout limits. Tool calls are time-bounded. Max 3 retries with exponential backoff. Daily cron (not continuous). Input data size limits in MCP toolsGitHub Actions timeout configuration, retry limits, cron schedulingLOW
LLM05: Supply Chain VulnerabilitiesCompromised components in LLM application stacknpm packages SHA-pinned via package-lock.json. GitHub Actions pinned to commit SHAs. Dependabot monitors all dependencies. step-security/harden-runner blocks unauthorized egress. SLSA provenance attestationpackage-lock.json, SHA-pinned Actions, Dependabot, SLSA attestationMEDIUM
LLM06: Sensitive Information DisclosureLLM reveals confidential data in outputsZero PII in data sources (all Riksdag data is public political information). No sensitive data in prompts. No user data processed. Data classification: all data PUBLICData classification policy, no-PII architecture, source data is publicLOW
LLM07: Insecure Plugin DesignUnsafe LLM plugin/tool implementationsMCP server (riksdag-regering-mcp) has defined tool schema with typed parameters. No arbitrary code execution. Read-only API access. All MCP tool outputs are structured JSONMCP tool schema definitions, read-only API access, structured outputsLOW
LLM08: Excessive AgencyLLM performs unintended actions with excessive permissionsAgent phase uses read-only repository and MCP access. Write actions are isolated to the safe-output PR boundary. No direct merge or deployment permission is granted to the LLM pipeline. All outputs require human approval (PR review) before publicationLeast privilege, read-only MCP access, safe-output boundary, human review gate, PR-required mergeLOW
LLM09: OverrelianceExcessive trust in LLM outputs without human verificationMandatory human review (PR review by James P. SΓΆrling) before any generated article is published. Quality score threshold (0.8/1.0) gates generation. Correction policy for published errors. Human retains final editorial controlPR review requirement, quality gate, editorial policy, correction procedureLOW
LLM10: Model TheftUnauthorized extraction or replication of modelModel access is mediated by GitHub Copilot / GitHub Actions runtime controls. No model weights are available to workflows. Tokens are masked in logs and scoped by job. step-security/harden-runner monitors egressGitHub token scoping, secrets masking, no model weights, egress monitoringLOW

Overall LLM Risk Assessment for Riksdagsmonitor MCP Pipeline: LOW-MEDIUM

The primary residual risks are LLM02 (output handling) mitigated by human review, and LLM05 (supply chain) mitigated by dependency pinning. The architecture's read-only data access, public data sources only, and mandatory human review gate collectively create a strong defense-in-depth posture.


Section C: ISO 27001:2022 Statement of Applicability Excerpt

Statement of Applicability (SoA) for Riksdagsmonitor - ISO 27001:2022 Annex A Controls

Scope: Riksdagsmonitor platform, all associated GitHub repositories, AWS infrastructure, and CI/CD pipelines.

Note: Riksdagsmonitor is not yet formally ISO 27001 certified. This SoA documents alignment as preparation for future certification.

Control IDControl NameApplicableJustificationImplementation Status
5.1Policies for information securityYGovernance requirementISMS-PUBLIC Information Security Policy
5.2Information security roles and responsibilitiesYOperational requirementCEO/CISO: James P. SΓΆrling
5.3Segregation of dutiesNSingle-person micro-enterprise β€” compensating controls: automated tooling, documented proceduresN/A β€” compensating controls documented
5.4Management responsibilitiesYGovernance requirementCEO accountable for ISMS
5.5Contact with authoritiesYIncident response requirementNCSC.SE, security@hack23.com
5.6Contact with special interest groupsYThreat intelligenceGitHub Security Advisories, CISA
5.7Threat intelligenceYRisk managementTHREAT_MODEL.md, Dependabot, CVE feeds
5.8Information security in project managementYDevelopment lifecycleSecure development policy, threat modeling
5.9Inventory of information and other assetsYAsset managementAsset Register (ISMS-PUBLIC)
5.10Acceptable use of information and assetsYGovernanceAcceptable use defined in ISMS policies
5.11Return of assetsNNo employees beyond CEON/A β€” single person
5.12Classification of informationYData protectionData Classification Policy (ISMS-PUBLIC)
5.13Labelling of informationYData handlingClassification badges on all docs
5.14Information transferYData protectionTLS 1.3 for all transfers, no sensitive transfers
5.15Access controlYSecurity requirementGitHub access controls, AWS IAM
5.16Identity managementYAccess controlGitHub identity, AWS IAM users
5.17Authentication informationYAccess controlMFA on GitHub, SSH keys for Git
5.18Access rightsYLeast privilegeBranch protection, workflow permissions
5.19Information security in supplier relationshipsYThird-party riskThird Party Management Policy (ISMS-PUBLIC)
5.20Addressing information security in supplier agreementsYThird-party contractsGitHub ToS, AWS ToS, Anthropic ToS reviewed
5.21Managing information security in the ICT supply chainYSupply chain securityDependabot, SHA pinning, SLSA
5.22Monitoring, review and change management of supplier servicesYThird-party monitoringDependabot alerts, GitHub status, AWS status
5.23Information security for use of cloud servicesYCloud governanceAWS CloudFront/S3, GitHub Pages policies
5.24Information security incident management planningYIncident responseBCPPlan.md, ISMS IRP, IR Playbooks
5.25Assessment and decision on information security eventsYIncident triageSeverity classification in IR playbooks
5.26Response to information security incidentsYIncident responseIR-PB-001, IR-PB-002, IR-PB-003 playbooks
5.27Learning from information security incidentsYContinual improvementPost-incident review in all playbooks
5.28Collection of evidenceYForensicsEvidence collection checklists in playbooks
5.29Information security during disruptionYBusiness continuityBCPPlan.md dual-deployment architecture
5.30ICT readiness for business continuityYBusiness continuityRTO/RPO defined, tested quarterly
5.31Legal, statutory, regulatory and contractual requirementsYComplianceGDPR, CRA, NIS2 mapping documented
5.32Intellectual property rightsYLegal complianceOSS license compliance, data attribution
5.33Protection of recordsYEvidence preservationGit history retention, audit log retention
5.34Privacy and protection of personal dataYGDPR complianceZero PII architecture, privacy by design
5.35Independent review of information securityYAuditOpenSSF Scorecard, GitHub security features
5.36Compliance with policies, rules, and standardsYGovernanceAnnual ISMS review, quarterly threat model
5.37Documented operating proceduresYOperational securityWORKFLOWS.md, BCPPlan.md, runbooks
6.1ScreeningNNo employees beyond CEO β€” not applicableN/A
6.2Terms and conditions of employmentNNo employees beyond CEON/A
6.3Information security awareness, education and trainingYSecurity awarenessCEO maintains security knowledge
6.4Disciplinary processNNo employees beyond CEON/A
6.5Responsibilities after terminationNNo employees beyond CEON/A
6.6Confidentiality or non-disclosure agreementsNAll data is public civic dataN/A
6.7Remote workingNAll operations are remote-native by designN/A β€” inherently remote
6.8Information security event reportingYIncident managementsecurity@hack23.com, GitHub Security
7.1Physical security perimetersNNo physical office/datacenter β€” cloud-onlyN/A β€” cloud SaaS
7.2Physical entryNNo physical premisesN/A
7.3Securing offices, rooms and facilitiesNNo physical premisesN/A
7.4Physical security monitoringNNo physical premisesN/A
7.5Protecting against physical and environmental threatsNManaged by GitHub/AWSN/A β€” cloud responsibility
7.6Working in secure areasNNo physical secure areasN/A
7.7Clear desk and clear screenNNo physical officeN/A
7.8Equipment siting and protectionNNo owned equipment in scopeN/A β€” cloud-only
7.9Security of assets off-premisesYLaptop used for developmentFull disk encryption, VPN policy
7.10Storage mediaYDevelopment laptop storageEncrypted disk, no sensitive data on media
7.11Supporting utilitiesNManaged by GitHub/AWSN/A β€” cloud responsibility
7.12Cabling securityNNo physical infrastructureN/A
7.13Equipment maintenanceNNo owned infrastructure in scopeN/A β€” cloud only
7.14Secure disposal or re-use of equipmentYDevelopment laptop eventual disposalSecure wipe procedure documented
8.1User endpoint devicesYDeveloper laptop securityEncrypted disk, patched OS, screen lock
8.2Privileged access rightsYGitHub admin, AWS rootMFA required, least privilege IAM
8.3Information access restrictionYRepository accessBranch protection, no public write
8.4Access to source codeYCode securityPrivate secrets in GitHub Secrets, not code
8.5Secure authenticationYMFA for all admin accessGitHub MFA, AWS hardware MFA
8.6Capacity managementYPerformanceCloudFront CDN elastic capacity
8.7Protection against malwareYEndpoint and pipelineDependabot, CodeQL, npm audit
8.8Management of technical vulnerabilitiesYVulnerability managementDependabot, MTTP targets, patch policy
8.9Configuration managementYSecure configurationIaC (planned), documented configs, branch protection
8.10Information deletionYData lifecycleContent archival policy, no PII to delete
8.11Data maskingNNo PII processedN/A β€” no sensitive data
8.12Data leakage preventionYDLP for source codeGitHub secret scanning, no secrets in code
8.13Information backupYBackup and recoveryGit history as backup, S3 multi-region, GitHub Pages
8.14Redundancy of information processingYHigh availabilityDual-deployment, multi-region S3, CloudFront
8.15LoggingYSecurity monitoringGitHub audit logs, CloudFront logs, Actions logs
8.16Monitoring activitiesYContinuous monitoringDependabot, CodeQL, OpenSSF Scorecard
8.17Clock synchronizationYLog integrityGitHub/AWS NTP-synchronized timestamps
8.18Use of privileged utility programsNNo privileged utilities in scopeN/A
8.19Installation of software on operational systemsYChange controlGitHub Actions CI/CD gates, branch protection
8.20Networks securityYNetwork controlsHTTPS-only, TLS 1.3, HSTS, CSP headers
8.21Security of network servicesYService securityCloudFront WAF-ready, DDoS protection
8.22Segregation of networksNStatic site β€” no internal networkN/A β€” no network to segregate
8.23Web filteringNNo browsing activity in scopeN/A
8.24Use of cryptographyYCryptographic controlsTLS 1.3, SHA-256, Sigstore, HSTS
8.25Secure development life cycleYSDLC securityCodeQL, Dependabot, threat modeling, SLSA
8.26Application security requirementsYSecurity requirementsTHREAT_MODEL.md security requirements
8.27Secure system architecture and engineering principlesYSecure designDefense-in-depth, least privilege, static-first
8.28Secure codingYCoding standardsESLint, CodeQL, HTMLHint, PR review
8.29Security testing in development and acceptanceYSecurity testingCypress E2E, Vitest, CodeQL, Dependabot
8.30Outsourced developmentNNo outsourced developmentN/A
8.31Separation of development, test and production environmentsYEnvironment controlBranch-based dev, separate GitHub Pages deployment
8.32Change managementYChange controlPR review, branch protection, changelog
8.33Test informationYTest dataTests use synthetic/public data only
8.34Protection of information systems during audit testingNNo formal audit testing currentlyPlanned for ISO certification

SoA Summary:

  • Total Annex A Controls: 93
  • Applicable: 68 (73%)
  • Not Applicable: 25 (27%) - primarily physical security, HR (single-person company)
  • Fully Implemented: 66 (97% of applicable)
  • Partially Implemented: 2 (3% of applicable)
  • Not Implemented: 0

Section D: NIST CSF 2.0 Govern Function Mapping

NIST CSF 2.0 introduced the new GOVERN (GV) function as the sixth function, providing organizational context for all other functions.

GV.OC β€” Organizational Context

SubcategoryDescriptionRiksdagsmonitor Implementation
GV.OC-01The organizational mission is understood and informs cybersecurity risk managementMission: "Provide free, transparent access to Swedish parliamentary data for democratic accountability." Security enables availability of this civic service. Documented in README.md and SECURITY_ARCHITECTURE.md
GV.OC-02Internal and external stakeholders are understood and their needs consideredStakeholders: Swedish public (users), researchers, journalists, Hack23 AB (operator). External: GitHub, AWS, Anthropic (providers), Riksdag (data source). Mapped in THREAT_MODEL.md
GV.OC-03Legal, regulatory, and contractual cybersecurity obligations are understood and managedGDPR (no PII), CRA (documented in CRA-ASSESSMENT.md), NIS2 (voluntary alignment), Swedish law compliance. Legal review annually
GV.OC-04Critical objectives, capabilities, and services that stakeholders depend on are understood and communicatedCritical service: 24/7 web availability of political transparency data. Documented in BCPPlan.md BIA section. RTO/RPO defined
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicatedDependencies: GitHub (source control, CI/CD, Pages, Copilot engine), AWS (CDN, S3), Riksdag API (data), Anthropic (Claude Sonnet 4.6 model). Documented in ARCHITECTURE.md and BCPPlan.md

GV.RM β€” Risk Management Strategy

SubcategoryDescriptionRiksdagsmonitor Implementation
GV.RM-01Risk management objectives are established and agreed to by organizational stakeholdersRisk tolerance: accept LOW risks, treat MEDIUM, eliminate HIGH/CRITICAL. Documented in Risk Register (ISMS-PUBLIC). CEO approval for risk acceptance
GV.RM-02Risk appetite and risk tolerance statements are established, communicated, and maintainedRisk Appetite Statement: Hack23 AB accepts LOW risks inherent to civic tech publishing. MEDIUM risks require compensating controls within 90 days. HIGH/CRITICAL risks must be treated within 30/7 days respectively
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk managementSingle-person company β€” security risks managed directly by CEO. Risk Register integrated with ISMS. Security metrics reported monthly (self-reporting)
GV.RM-04Strategic-level cybersecurity risk is documented as organizational riskKey organizational risks: platform unavailability, reputational risk from data errors, supply chain compromise. Documented in THREAT_MODEL.md and SWOT.md
GV.RM-05Lines of communication across the organization regarding cybersecurity risks are establishedCEO is sole person β€” direct ownership. External: security@hack23.com for public disclosure. GitHub Issues for tracking
GV.RM-06A standardized approach to calculating, documenting, and prioritizing cybersecurity risk is establishedSTRIDE + DREAD methodology in THREAT_MODEL.md. Risk scoring: Likelihood (1-5) x Impact (1-5). CVSS scores for technical vulnerabilities
GV.RM-07Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussionsOpportunities mapped in FUTURE_SWOT.md: EU grants, research partnerships, Nordic expansion. Security as enabler of civic trust and business growth

GV.RR β€” Roles, Responsibilities, and Authorities

RoleNameResponsibilities
CEO/CISO/DPOJames Pether SΓΆrlingAll security architecture, ISMS ownership, incident response, compliance, risk acceptance
GitHub SecurityGitHub PlatformSecret scanning, CodeQL, Dependabot, audit logging (automated)
AWS SecurityAWS PlatformCloudFront DDoS protection, S3 encryption, IAM enforcement (platform)
Anthropic SafetyAnthropicClaude Sonnet 4.6 safety guardrails, model security (provider responsibility)
Security CommunityPublicResponsible disclosure via security@hack23.com

GV.PO β€” Policy

Policy AreaPolicy DocumentStatusReview Cycle
Information SecurityInformation_Security_Policy.mdActiveAnnual
Access ControlAccess_Control_Policy.mdActiveAnnual
CryptographyCryptography_Policy.mdActiveAnnual
Data ClassificationData_Classification_Policy.mdActiveAnnual
Vulnerability ManagementVulnerability_Management.mdActiveAnnual
Secure DevelopmentSecure_Development_Policy.mdActiveAnnual
Incident ResponseIncident_Response_Plan.mdActiveAnnual
Business ContinuityBCPPlan.mdActiveQuarterly
Third Party ManagementThird_Party_Management.mdActiveAnnual
Open SourceOpen_Source_Policy.mdActiveAnnual
CRA ConformityCRA_Conformity_Assessment_Process.mdActiveAnnual

GV.OV β€” Oversight

Oversight ActivityFrequencyEvidenceOwner
Security architecture reviewAnnualGit commit history (SECURITY_ARCHITECTURE.md)CEO
Threat model reviewQuarterlyGit commit history (THREAT_MODEL.md)CEO
ISMS policy reviewAnnualPolicy documents with review datesCEO
Risk register updateQuarterlyRisk_Register.md (ISMS-PUBLIC)CEO
OpenSSF ScorecardMonthlyGitHub badge, score historyAutomated
Dependabot monitoringDailyGitHub Security tabAutomated
CodeQL scanningPer commitGitHub Actions resultsAutomated
BCP testingQuarterlyBCPPlan.md test results sectionCEO

GV.SC β€” Supply Chain Risk Management

SupplierCategoryRisk LevelControlsReview Frequency
GitHubSource control, CI/CD, hostingHIGH (critical path)GitHub Enterprise ToS, ISMS Third Party Policy, MFA, branch protectionAnnual contract review
AWSCDN, S3, Route 53HIGH (production hosting)AWS DPA, CloudFront TLS, IAM least privilege, MFA rootAnnual contract review
Anthropic (via GitHub Copilot)AI content generationMEDIUMGitHub Copilot runtime controls, least-privilege workflow permissions, content filtering, safe-output PR boundaryAnnual review
riksdag-regering-mcpData pipelineMEDIUMPinned version, Dependabot monitoring, code reviewPer release
npm ecosystemJavaScript dependenciesMEDIUMpackage-lock.json SHA pinning, Dependabot, npm auditDaily automated
GitHub Actions marketplaceCI/CD automationMEDIUMSHA-pinned actions only, step-security/harden-runner, egress controlPer workflow update
Riksdag APIData sourceLOW (public data only)Read-only access, schema validation, no credentialsQuarterly check

Section E: CIS Controls v8.1 Implementation Group Classification

Riksdagsmonitor is classified as an IG1/IG2 organization: micro-enterprise (1 employee), civic tech with moderate risk profile.

CIS ControlSub-ControlsIG LevelImplementedEvidenceNotes
1: Inventory of Enterprise Assets1.1 Establish asset inventoryIG1YESAsset_Register.md (ISMS-PUBLIC)GitHub repos, AWS resources, laptop
1.2 Address unauthorized assetsIG1YESBranch protection, no unauthorized pushesAutomated via GitHub
2: Inventory of Software Assets2.1 Establish software inventoryIG1YESpackage.json, GitHub Actions dependenciesnpm dependency graph
2.2 Ensure authorized softwareIG1YESDependabot, code review gatesOnly approved packages merged
2.3 Address unauthorized softwareIG2YESstep-security/harden-runner egress controlBlocks unauthorized software calls
3: Data Protection3.1 Establish data management processIG1YESData_Classification_Policy.mdAll data: PUBLIC classification
3.2 Inventory sensitive dataIG1YESAsset Register - no sensitive dataZero PII architecture
3.3 Configure data access controlIG1YESGitHub access controls, S3 bucket policiesAuthenticated write, public read
3.10 Encrypt sensitive data in transitIG1YESTLS 1.3, HSTS, CloudFront HTTPSTLS minimum 1.2, preferred 1.3
3.11 Encrypt sensitive data at restIG1YESS3 server-side encryption, GitHub at restSSE-S3 on all buckets
4: Secure Configuration4.1 Establish secure configuration processIG1YESSECURITY_ARCHITECTURE.md, ISMS policiesDocumented configurations
4.2 Establish and maintain secure configuration for network infrastructureIG2YESCloudFront security policy, S3 bucket ACLHTTPS-only policy enforced
4.3 Configure automatic session timeoutsIG1N/ANo user sessions (static site)Not applicable
5: Account Management5.1 Establish account management processIG1YESAccess_Control_Policy.mdSingle admin account with MFA
5.2 Use unique passwordsIG1YESPassword manager, MFA eliminates password relianceMFA required for all privileged access
5.3 Disable dormant accountsIG1YESOnly active accounts existSingle-person company
5.4 Restrict administrator privilegesIG1YESIAM least privilege, workflow token restrictionsMinimal permissions per job
6: Access Control Management6.1 Establish access control processIG1YESAccess_Control_Policy.mdDocumented
6.2 Establish IAM processesIG1YESAWS IAM, GitHub permission modelImplemented
6.3 Require MFA for externally-exposed applicationsIG1YESGitHub MFA, AWS MFAHardware MFA on AWS root
6.4 Require MFA for remote accessIG1YESAll access is remote-native with MFACloud-only architecture
6.7 Centralize access controlIG2YESGitHub and AWS as identity providersCentralized via cloud platforms
6.8 Define and maintain role-based accessIG2YESIAM roles, GitHub repository rolesLeast privilege roles defined
7: Continuous Vulnerability Management7.1 Establish vulnerability management processIG1YESVulnerability_Management.md (ISMS)Documented process
7.2 Establish remediation process for risksIG1YESMTTP targets in ISMS: 7/30/90 days by severityTracked in GitHub Security tab
7.3 Perform automated OS patch managementIG1N/ANo OS to manage (cloud-hosted)Managed by GitHub/AWS
7.4 Perform automated application patch managementIG1YESDependabot auto-PRs for npm packagesDaily automated scanning
7.5 Perform automated vulnerability scansIG2YESCodeQL on every PR, Dependabot dailyAutomated scanning
7.6 Perform automated vulnerability scans of internal enterprise assetsIG3PARTIALManual review for dev laptopExternal tool scan planned 2027
8: Audit Log Management8.1 Establish audit log management processIG1YESGitHub Audit Log, CloudFront logs, Actions logsDocumented log sources
8.2 Collect audit logsIG1YESGitHub Audit Log API, CloudFront access logsAutomated collection
8.3 Ensure adequate audit log storageIG2YESGitHub retains 90-day audit log, S3 log retentionConfigured retention policies
8.11 Conduct audit log reviewsIG2YESSecurity alerts reviewed, Dependabot monitoredWeekly review by CEO
9: Email and Web Browser Protections9.1 Ensure use of only fully supported browsersIG1YESModern browser requirement documentedTested on latest Chrome, Firefox, Safari
9.6 Block unnecessary file typesIG2N/AStatic site serves only HTML/CSS/JS/JSON/PNGNo file upload functionality
10: Malware Defenses10.1 Deploy and maintain anti-malware softwareIG1PARTIALDeveloper laptop: macOS XProtect + manual vigilanceThird-party AV planned
10.2 Configure automatic anti-malware updatesIG1PARTIALmacOS automatic updates enabledSystem AV auto-updates
10.7 Use behavior-based anti-malwareIG3NONot implementedPlanned for 2027
11: Data Recovery11.1 Establish data recovery processIG1YESBackup_Recovery_Policy.md, Git historyDocumented
11.2 Perform automated backupsIG1YESS3 cross-region replication (real-time), GitAutomated
11.3 Protect recovery dataIG1YESS3 versioning, Git signed commitsProtected
11.4 Establish isolated data backupsIG2YESGitHub Pages separate from AWS primaryIsolated secondary deployment
12: Network Infrastructure Management12.1 Ensure network infrastructure is up-to-dateIG1N/ANo managed network infrastructureCloud-managed
12.2 Establish network infrastructure management processIG2YESCloudFront security policy, Route 53 configDocumented in ARCHITECTURE.md
12.8 Manage DNS infrastructureIG2YESRoute 53 with health checks, DNSSEC plannedManaged by AWS
13: Network Monitoring and Defense13.1 Centralize security event alertingIG2YESGitHub Security Advisories, Dependabot, CodeQL alertsCentralized in GitHub Security tab
13.3 Deploy network intrusion detectionIG3PARTIALCloudFront request metrics, WAF planned 2027Basic anomaly detection
13.6 Collect network traffic flow logsIG2YESCloudFront access logs, S3 server access logsConfigured
14: Security Awareness and Skills Training14.1 Establish security awareness programIG1YESCEO maintains security certifications, ISMS policiesSelf-directed continuous learning
14.6 Train workforce on recognizing phishingIG1N/ASingle-person companyNot applicable
15: Service Provider Management15.1 Establish service provider management processIG1YESThird_Party_Management.mdDocumented supplier assessment
15.2 Establish service provider contractsIG1YESGitHub ToS, AWS ToS, Anthropic ToSContracts in place
16: Application Software Security16.1 Establish application security processesIG1YESSecure_Development_Policy.mdDocumented SDLC
16.2 Establish application inventoryIG1YESAsset Register, package.jsonComplete
16.3 Perform root cause analysisIG2YESPost-incident RCA template in BCPPlan.mdTemplate provided
16.8 Separate production and non-production systemsIG2YESBranch-based dev, separate Pages deploymentSeparated
16.9 Train developers in application security conceptsIG2YESCEO is security architect by expertiseImplemented
16.10 Apply secure design principles in application architecturesIG2YESDefense-in-depth, least privilege, static-firstCore architectural principle
16.11 Leverage vetted modules and servicesIG2YESnpm known-good packages, GitHub Actions marketplaceSHA-pinned, Dependabot monitored
16.12 Implement code-level security checksIG2YESCodeQL, ESLint security rules, HTMLHintEvery PR
16.13 Conduct application penetration testingIG3YESManual review + OWASP ZAP DAST (.github/workflows/zap-scan.yml, weekly + on-demand)Automated active scans against production
17: Incident Response Management17.1 Designate personnel for incident responseIG1YESCEO: designated IR coordinatorDocumented in BCPPlan.md
17.2 Establish incident response processIG1YESISMS IRP, BCPPlan.md IR PlaybooksIR-PB-001/002/003
17.3 Test incident response processIG2PARTIALAnnual BCP test includes IR scenariosQuarterly BCP test planned
17.4 Train workforce on incident responseIG1N/ASingle-person companyCEO as sole responder
17.5 Evaluate lessons learnedIG2YESPost-incident review in all IR playbooksDocumented
17.6 Define metrics for incident responseIG2YESMTTP, RTO, RPO metrics in SECURITY_ARCHITECTURE.mdTracked
18: Penetration Testing18.1 Establish a penetration testing programIG2YESOWASP ZAP active scans (weekly + on-demand) via .github/workflows/zap-scan.yml; rules baseline .zap/rules.tsv; reports retained 90 daysAutomated DAST live
18.2 Perform periodic external penetration testsIG3PARTIALExternal pen test planned 2027Budgeted for 2027
18.3 Remediate penetration test findingsIG2YESProcess documented; applied to CodeQL findingsRemediation process active

CIS Controls IG1 Summary: 35/35 applicable controls implemented (100%)
CIS Controls IG2 Summary: 28/35 applicable controls implemented (80%)
CIS Controls IG3 Summary: 3/10 applicable controls implemented (30%) β€” IG3 not a current target


Section F: Supply Chain Security (NIST CSF PR.SC)

PR.SC-1: Cyber Supply Chain Risk Management Documented

Riksdagsmonitor's cyber supply chain is documented in the Third Party Management Policy (ISMS-PUBLIC) and mapped here:

Critical Suppliers Tier 1 (Platform-Level Dependency):

  1. GitHub β€” Source control, CI/CD, GitHub Pages hosting, GitHub Actions

    • Dependency type: CRITICAL β€” service unavailable = platform unavailable
    • Risk treatment: GitHub Enterprise ToS, MFA enforced, branch protection
    • Continuity: AWS CloudFront primary hosting reduces GitHub Pages dependency
  2. AWS β€” CloudFront CDN, S3 multi-region, Route 53 DNS

    • Dependency type: HIGH β€” primary production hosting
    • Risk treatment: Multi-region S3, CloudFront origin failover, GitHub Pages DR
    • SLA: 99.99% CloudFront availability SLA

Supplier Tier 2 (Service-Level Dependency): 3. Anthropic (via GitHub Copilot) β€” Claude Sonnet 4.6 AI model

  • Dependency type: MEDIUM β€” content generation only; cached content available
  • Risk treatment: Caching, fallback to template articles, graceful degradation
  1. riksdag-regering-mcp β€” Data pipeline MCP server
    • Dependency type: MEDIUM β€” data fetching; cached data available
    • Risk treatment: Local caching, stale data banner, version pinning

Supplier Tier 3 (Component-Level Dependencies): 5. npm ecosystem β€” JavaScript dependencies

  • Dependency type: LOW-MEDIUM β€” build-time only; runtime is static HTML
  • Risk treatment: package-lock.json SHA pinning, Dependabot daily scanning
  1. GitHub Actions Marketplace β€” CI/CD workflow actions
    • Dependency type: LOW-MEDIUM β€” build-time pipeline
    • Risk treatment: SHA-pinned to specific commits, step-security/harden-runner

PR.SC-2: Third-Party Vetting Process

Vetting Criteria for New Dependencies:

CriterionRequirementTool
Popularity>100K weekly npm downloads or GitHub major orgManual review
MaintenanceActive maintenance, commits within 12 monthsGitHub repo check
Security historyNo critical CVEs unpatched in last 12 monthsnpm audit, OSS Index
LicenseOSS license compatible with MIT (our license)License checker
SBOM availabilityPreferred for critical dependenciesGitHub SBOM feature
SignatureProvenance attestation preferrednpm provenance

SHA Pinning Strategy

# Example: SHA-pinned GitHub Actions (from workflows)
- uses: actions/checkout@v4  # SHA: abc123...
- uses: step-security/harden-runner@v2  # SHA: def456...
- uses: github/codeql-action/init@v3  # SHA: ghi789...

SHA Pinning Policy:

  • All GitHub Actions MUST be pinned to full commit SHA, not tags
  • SHA updates allowed only via Dependabot PRs (reviewed before merge)
  • No @latest or floating version references permitted
  • Reviewed quarterly or when Dependabot raises update

Dependabot Automation

Dependabot is configured in .github/dependabot.yml with:

  • npm packages: Daily scan, auto-PR for patch updates
  • GitHub Actions: Weekly scan, auto-PR for SHA updates
  • Auto-merge: Patch-level security updates (no API changes)
  • Manual review: Major and minor version updates

npm Package Audit Process

# Integrated into CI/CD pipeline (GitHub Actions):
npm audit --audit-level=high  # Blocks pipeline on high+ CVEs
npm audit --json > audit-report.json  # Archive audit results

Audit gates:

  • critical: Blocks deployment immediately
  • high: Blocks deployment + creates Dependabot PR
  • moderate: Creates advisory, does not block
  • low: Logged only

GitHub Actions Supply Chain Controls

ControlImplementationStatus
SHA pinning all actionsAll actions pinned to commit SHAActive
Egress controlstep-security/harden-runner on all jobsActive
Least privilege tokensPer-job permissions: blocksActive
Read-only token by defaultGITHUB_TOKEN permissions default readActive
No secret exposureSecrets masked in logs, not passed to forksActive
SLSA provenanceBuild provenance via GitHub SLSA actionActive
Sigstore signingArtifacts signed via SigstoreActive
Dependency reviewactions/dependency-review-action on PRsActive

Section G: Content Integrity Controls

SHA-256 Checksums for Generated Content

Status: Planned (Target: Q3 2026) β€” Article-level SHA-256 hashing is not yet implemented in the content generation pipeline. The design below documents the planned approach. Currently, content integrity is assured via Git commit history, SLSA provenance attestation, and Sigstore artifact signing.

Planned Hash Generation Process (not yet implemented):

  1. Article HTML content normalized (whitespace, encoding)
  2. SHA-256 computed over normalized content
  3. Hash stored in article metadata HTML comment
  4. Hash committed to Git alongside content
  5. Hash verifiable by anyone with the file
<!-- Planned article metadata format (not yet in production) -->
<!-- content-hash: sha256:a3f5c8d2e1b4... -->
<!-- generated-at: 2026-02-25T02:15:00Z -->
<!-- pipeline-run: github.com/Hack23/riksdagsmonitor/actions/runs/12345 -->
<!-- sources: riksdag-api:2024/25, cia-export:2026-02-24 -->

Current Content Integrity Controls (Active)

ControlImplementationStatus
SLSA provenanceBuild provenance via GitHub SLSA action β€” covers the full build artifactActive
Sigstore signingBuild artifacts signed via Sigstore transparency logActive
Git commit SHAImmutable reference to exact content state; all pushes require GitHub authenticationActive
Branch protectionDirect pushes to main blocked; all changes require PR and CI greenActive
Dependency reviewactions/dependency-review-action on all PRsActive
Article-level SHA-256Per-article hash in HTML comment metadataPlanned (Q3 2026)

Git Commit Signatures as Content Provenance

  • All commits to main branch require authenticated push (GitHub authentication)
  • SLSA provenance attestation includes full build inputs and outputs
  • Sigstore transparency log provides tamper-evident record of all signed artifacts
  • Git commit SHA provides immutable reference to exact content state

Tamper Detection Approach

Detection MethodTriggerResponseStatus
SLSA attestation failureGitHub Actions security jobBlock deployment, alert CEOActive
Unauthorized commit to mainGitHub branch protectionBlock push, audit log alertActive
Secret scanning matchGitHub Secret ScanningImmediate block, credential rotationActive
Unexpected file in deploymentDeployment diff reviewManual review gateActive
SHA-256 hash mismatchAutomated integrity checkIR-PB-001 (Content Tampering)Planned (Q3 2026)

Section H: Credential Lifecycle Management

MCP API Credentials Lifecycle

stateDiagram-v2
    [*] --> Created
    Created --> Active : Stored in GitHub Secrets
    Active --> Expiring : Age 60+ days warning
    Expiring --> Rotating : 90-day policy triggered
    Rotating --> DualActive : New key created
    DualActive --> Updated : GitHub Secret updated
    Updated --> Active : Old key revoked
    Active --> Compromised : Security event
    Compromised --> Revoked : Immediate revocation
    Revoked --> [*]

Credential Inventory

CredentialStorageRotation PeriodAccess LevelEmergency Contact
GitHub Copilot agent tokenGitHub-managed runtime tokenPer GitHub platform policyAgentic workflow scope onlyGitHub Support
GitHub PAT (if used)GitHub Secrets90 daysMinimal required scopesGitHub Support
AWS IAM Access KeyGitHub Secrets90 daysLeast privilege IAM policyAWS Support
MCP Server API KeysGitHub SecretsPer provider policyRead-only data accessProvider support

Secret Rotation Schedule

90-Day Rotation Policy (all credentials):

  • Day 0: Credential created and stored in GitHub Secrets
  • Day 60: Rotation reminder generated (GitHub Issue)
  • Day 80: Rotation must begin (new credential generated, dual-active period starts)
  • Day 90: Old credential revoked, new credential sole active
  • Day 90+: Rotation documented in credential audit log

Exception handling:

  • Security events: Immediate rotation regardless of age
  • Provider-mandated rotation: Follow provider timeline
  • Compromised credential: Revoke within 15 minutes (P1 incident)

GitHub Secrets Management

Secrets storage:

  • All API keys stored as GitHub Actions secrets (AES-256 encrypted at rest)
  • Secrets never exposed in logs (GitHub automatic masking)
  • Secrets not passed to fork pull requests
  • Secrets accessible only to specific workflows (not all workflows)

Secret naming convention:

GITHUB_TOKEN                 # GitHub-managed workflow token
AWS_ACCESS_KEY_ID             # AWS IAM (if applicable)
AWS_SECRET_ACCESS_KEY         # AWS IAM secret
MCP_RIKSDAG_API_KEY           # riksdag-regering-mcp (if auth required)

Emergency Credential Revocation Procedure

P1 Trigger: Credential suspected compromised

  1. T+0: Detect compromise (Secret Scanning alert, anomalous API usage, security report)
  2. T+5min: Access provider console, revoke credential immediately
    • AWS: IAM Console > Users > Security credentials > Deactivate
    • GitHub: Settings > Developer Settings > PATs > Revoke
    • GitHub Copilot: disable affected workflow / revoke related GitHub token or PAT
  3. T+10min: Update GitHub Secret with new credential (or blank to disable workflow)
  4. T+15min: Verify no unauthorized usage since detection (provider access logs)
  5. T+30min: Generate new credential, update GitHub Secret, re-enable workflow
  6. T+60min: Document incident in GitHub Issue, review for data exposure
  7. T+72h: Post-incident review, implement additional controls

Section I: Security KPIs and Metrics Dashboard

Key Performance Indicators

KPITargetMeasurement MethodReview FrequencyAlert Threshold
Mean Time to Patch (MTTP) - Critical< 7 daysDependabot PR creation to mergeWeekly> 5 days = amber; > 7 days = red
Mean Time to Patch (MTTP) - High< 30 daysDependabot PR creation to mergeMonthly> 21 days = amber; > 30 days = red
Mean Time to Patch (MTTP) - Medium< 90 daysManual trackingQuarterly> 60 days = amber; > 90 days = red
Dependency Vulnerability Count - Critical0GitHub Security tabDaily> 0 = immediate alert
Dependency Vulnerability Count - High< 5GitHub Security tabWeekly> 3 = amber; > 5 = red
CodeQL Scan Pass Rate100%GitHub Actions success ratePer commit< 100% = immediate investigation
Dependabot Scan Pass Rate100%Dependabot activeDailyDisabled = immediate alert
Secret Scanning Pass Rate100%GitHub Secret Scanning activeContinuousAny detection = P1 incident
OpenSSF Scorecard Score>= 8.0/10Scorecard monthly runMonthly< 7.5 = amber; < 7.0 = red
Platform Uptime>= 99.9%AWS CloudWatch / external monitoringMonthly< 99.5% = incident investigation
Origin Failover RTO< 30 secondsQuarterly failover testQuarterly> 30s = BCPPlan update required
DNS Failover RTO< 15 minutesSemi-annual DNS testSemi-annual> 20 min = Route 53 config review
Content Generation Success Rate>= 95%GitHub Actions pipeline resultsWeekly< 90% = pipeline investigation
Content Integrity Check Rate100%SHA-256 validation in pipelinePer article< 100% = IR-PB-001 triggered
Incident Mean Time to Detect (MTTD)< 4 hoursTime from event to detectionPer incident> 4 hours = monitoring gap analysis
Incident Mean Time to Contain (MTTC)< 4 hoursTime from detection to containmentPer incident> 4 hours = playbook update
SLSA Attestation Success Rate100%Build provenance generationPer deploy< 100% = block deployment

Security Metrics Dashboard Summary

CategoryCurrent StatusTargetTrend
Vulnerability Management0 Critical, 0 High open0 Critical, <5 HighStable
Scan Coverage100% CodeQL, 100% Dependabot100% bothStable
Security Score8.2/10 OpenSSF>= 8.0/10Stable
Availability99.999% (YTD)>= 99.9%Exceeding
Patch ComplianceMTTP Critical < 7 days< 7 daysOn Target
Content Integrity100% hashed100%Stable
Credential RotationOn 90-day policy90-dayCompliant
Incident ResponsePlaybooks documentedTested quarterlyPlanned

Security KPI Reporting

Reporting Cadence:

  • Real-time: Automated GitHub Security alerts, Dependabot notifications
  • Daily: Dependabot scan results reviewed via GitHub Security tab
  • Weekly: Manual review of open security advisories, CodeQL alerts
  • Monthly: OpenSSF Scorecard review, uptime calculation, MTTP calculation
  • Quarterly: Full security metrics review, threat model update, BCP test
  • Annual: Security architecture review, ISMS policy review, risk register update

Section J: Architecture Decision Log (ADL)

This section documents key security architecture decisions, the options considered, and the rationale for each choice. This record provides audit evidence and supports future architecture reviews.

ADL-001: Static HTML Architecture as Security Control

FieldValue
Decision Date2023-01-01 (founding)
StatusActive
Decision MakerJames Pether SΓΆrling, CEO
DecisionImplement Riksdagsmonitor as 100% static HTML/CSS/JavaScript with no server-side code
Options ConsideredOption A: Static HTML (chosen); Option B: Next.js SSR; Option C: WordPress; Option D: Django/Python backend
RationaleStatic HTML eliminates entire classes of vulnerabilities: no SQL injection, no server-side code injection, no session management vulnerabilities, no server process to compromise. The attack surface is reduced to TLS configuration and CDN security, both managed by proven cloud providers.
Security ImpactPOSITIVE: Removes 6 of 10 OWASP Top 10 risks from scope (A1 injection, A2 broken auth, A4 insecure design, A5 security misconfig, A6 vulnerable components, A7 auth failures)
TradeoffsLimits real-time features, no user accounts, no search (mitigated by client-side search in roadmap)
Review TriggerIf requirement for authenticated user features arises

ADL-002: GitHub Pages as Primary Hosting

FieldValue
Decision Date2023-01-01
StatusActive
DecisionUse GitHub Pages as the source-of-truth deployment target, with AWS CloudFront as CDN and performance layer
Options ConsideredOption A: GitHub Pages + CloudFront (chosen); Option B: Netlify; Option C: Vercel; Option D: AWS S3 + CloudFront only
RationaleGitHub Pages provides free, reliable hosting with automatic HTTPS and deep integration with GitHub Actions CI/CD. CloudFront provides global CDN, DDoS protection, custom domain, and origin failover. Dual deployment provides DR without additional cost.
Security ImpactPOSITIVE: GitHub handles TLS certificate management, HSTS, and platform security. CloudFront provides WAF-ready edge security. No server credentials needed.
TradeoffsDependency on GitHub and AWS availability (mitigated by failover design)
Review TriggerIf GitHub Pages SLA drops below 99.9% or pricing changes significantly

ADL-003: Mandatory GitHub Actions Hardening

FieldValue
Decision Date2024-06-01
StatusActive
DecisionRequire step-security/harden-runner on all GitHub Actions workflows with egress-policy: audit
Options ConsideredOption A: harden-runner (chosen); Option B: No egress control; Option C: Custom network policies
RationaleSupply chain attacks via GitHub Actions (e.g., SolarWinds-style) are a real threat. harden-runner intercepts all network calls from the runner, logs them to audit trail, and can block unauthorized egress. This provides visibility and control over what the CI/CD pipeline contacts.
Security ImpactPOSITIVE: Detects and can block unauthorized supply chain exfiltration. Provides audit trail for all CI/CD network activity. Aligns with SLSA Level 2+ requirements.
TradeoffsSlight performance overhead per job (< 5 seconds). Requires explicit allowlist for legitimate domains.
Review TriggerAnnually or when new workflow dependencies added

ADL-004: SLSA Level 2+ Build Provenance

FieldValue
Decision Date2024-06-01
StatusActive
DecisionImplement SLSA Level 2+ build provenance for all production deployments using GitHub SLSA action and Sigstore
Options ConsideredOption A: SLSA + Sigstore (chosen); Option B: No provenance; Option C: Custom signing
RationaleSLSA (Supply chain Levels for Software Artifacts) provides tamper-evident build provenance. In the event of a supply chain compromise, SLSA provenance enables forensic analysis of what was built, when, from what source, and by what process. Sigstore provides a public transparency log for all signatures.
Security ImpactPOSITIVE: Enables supply chain attack detection and forensic investigation. Demonstrates build integrity to users. Aligns with CRA Annex I integrity requirements.
TradeoffsMinor additional build time (~30 seconds). Requires Sigstore account and transparency log entries.
Review TriggerIf SLSA Level 3 (hermetic builds) requirements are added

ADL-005: 90-Day Credential Rotation Policy

FieldValue
Decision Date2025-01-01
StatusActive
DecisionImplement mandatory 90-day rotation for all API credentials, with automated reminder system
Options ConsideredOption A: 90-day rotation (chosen); Option B: Annual rotation; Option C: No rotation policy; Option D: 30-day rotation
RationaleNIST SP 800-63B recommends periodic credential rotation for machine credentials. 90 days balances security (limits exposure window if credential is silently compromised) against operational burden. Annual rotation creates too-long exposure windows. 30-day rotation creates excessive operational burden for a solo operator.
Security ImpactPOSITIVE: Limits credential compromise exposure window to 90 days. Aligns with ISO 27001:2022 control A.9.4.3 and CIS Control 6.
TradeoffsOperational overhead for rotation (estimated 30 minutes per rotation cycle). Risk of service disruption if rotation not completed before expiry.
Review TriggerIf automated credential rotation becomes available via provider

ADL-006: Zero PII Architecture

FieldValue
Decision Date2023-01-01 (founding)
StatusActive
DecisionArchitect Riksdagsmonitor to collect zero Personally Identifiable Information from users: no cookies, no analytics, no user accounts
Options ConsideredOption A: Zero PII (chosen); Option B: Cookie-based analytics (Google Analytics); Option C: Anonymous analytics (Plausible); Option D: Full user accounts
RationaleProcessing PII creates GDPR obligations, privacy risk, and potential breach liability. A civic transparency platform should model privacy by design. Public political data requires zero PII to fulfill its mission. Zero PII architecture eliminates entire GDPR compliance burden and aligns with CRA Article 13 data minimization.
Security ImpactPOSITIVE: Eliminates GDPR data breach risk, no PII exposure possible, reduces legal liability, simplifies DPA. Aligns with ISO 27001:2022 A.5.34.
TradeoffsNo user personalization, no understanding of actual usage patterns, no A/B testing capability.
Review TriggerIf user accounts become necessary for API access tier

ADL Summary

ADL IDDecisionSecurity ImpactStatus
ADL-001Static HTML architectureEliminates 6 OWASP Top 10 risksActive
ADL-002GitHub Pages + CloudFrontTLS management, CDN DDoS protectionActive
ADL-003harden-runner egress controlSupply chain attack detectionActive
ADL-004SLSA + Sigstore provenanceTamper-evident build chainActive
ADL-00590-day credential rotationLimits compromise exposureActive
ADL-006Zero PII architectureEliminates GDPR breach riskActive

Section K: Third-Party Security Assessment Summary

Provider Security Certifications

Riksdagsmonitor relies on major cloud providers whose security certifications extend platform-level protections:

ProviderCertificationsRelevant ServicesEvidence
GitHub (Microsoft)ISO 27001, SOC 2 Type II, SOC 3, PCI DSS, CSA STARSource control, CI/CD, GitHub Pages, Actionsgithub.com/security
Amazon Web ServicesISO 27001, SOC 1/2/3, PCI DSS, FedRAMP, CSA STARCloudFront CDN, S3, Route 53aws.amazon.com/compliance
Anthropic (via GitHub Copilot)SOC 2 Type II (provider), ISO 27001 (provider)Claude Sonnet 4.6 AI modelvia GitHub Copilot / Anthropic provider documentation

Shared Responsibility Model

flowchart TD
    TOTAL_SECURITY[Total Security Posture]
    TOTAL_SECURITY --> HACK23[Hack23 AB Responsibility]
    TOTAL_SECURITY --> GITHUB[GitHub Responsibility]
    TOTAL_SECURITY --> AWS[AWS Responsibility]

    HACK23 --> HACK23_CODE[Source code security]
    HACK23 --> HACK23_ACCESS[Access credentials and MFA]
    HACK23 --> HACK23_CONTENT[Content integrity]
    HACK23 --> HACK23_DEPS[Dependency selection and patching]
    HACK23 --> HACK23_CONFIG[Workflow and deployment configuration]
    HACK23 --> HACK23_ISMS[ISMS policies and procedures]

    GITHUB --> GITHUB_PLAT[Platform security and availability]
    GITHUB --> GITHUB_TLS[HTTPS and TLS certificate management]
    GITHUB --> GITHUB_AUDIT[Audit logging infrastructure]
    GITHUB --> GITHUB_RUNNER[Actions runner infrastructure]

    AWS --> AWS_CDN[CloudFront infrastructure security]
    AWS --> AWS_S3[S3 data center physical security]
    AWS --> AWS_DNS[Route 53 DNS infrastructure]
    AWS --> AWS_DDOS[DDoS protection at network layer]

    style HACK23 fill:#4caf50,color:#000000
    style GITHUB fill:#2196f3,color:#ffffff
    style AWS fill:#ff9800,color:#000000

Third-Party Risk Register

SupplierRisk TypeInherent RiskControlsResidual RiskReview
GitHubPlatform unavailabilityHIGHCloudFront failover, GitHub SLA monitoringLOWQuarterly
GitHubCredential compromiseHIGHMFA enforced, branch protection, least privilegeLOWAnnual
AWS CloudFrontCDN outageMEDIUMGitHub Pages failover, multi-region S3LOWQuarterly
GitHub Copilot / AnthropicAI API unavailabilityMEDIUMGraceful degradation to template articles; workflow retry and PR review gateLOWQuarterly
riksdag-regering-mcpData pipeline failureMEDIUMLocal caching, stale data bannerLOWPer release
npm registrySupply chain attackHIGHpackage-lock.json pinning, DependabotMEDIUMDaily automated
Riksdag APIAPI changes breaking data pipelineMEDIUMSchema versioning, monitoringMEDIUMQuarterly

Security Posture Summary

Riksdagsmonitor's overall security posture as of 2026-02-25:

Security DomainMaturity LevelKey StrengthKey Gap
Attack SurfaceLevel 5 - OptimizedZero server-side codeClient-side search expansion planned
Identity and AccessLevel 4 - ManagedMFA everywhere, least privilegeNo automated rotation yet
Supply ChainLevel 4 - ManagedSHA pinning, SLSA, DependabotSBOM automation pending
Vulnerability ManagementLevel 4 - ManagedAutomated scanning, MTTP trackedExternal pentest pending
Incident ResponseLevel 3 - DefinedPlaybooks documentedTesting cadence to improve
ComplianceLevel 4 - ManagedMulti-framework alignmentISO 27001 cert pending
Business ContinuityLevel 4 - ManagedDual-deployment, RTO <30sAnnual DR exercise planned
MonitoringLevel 3 - DefinedGitHub Security, OpenSSFSIEM integration planned 2028

πŸ“‹ Document Control

πŸ“‹ Document Owner: James Pether SΓΆrling, CEO & CISO
πŸ“„ Version: 2.4
πŸ“… Last Updated: 2026-05-06 (UTC)
βœ… Approved by: James Pether SΓΆrling, CEO
πŸ”„ Review Cycle: Annual
⏰ Next Review: 2027-05-06
🏒 Owner: Hack23 AB (Org.nr 5595347807)
πŸ“€ Distribution: Public
🏷️ Classification: Confidentiality: Public Integrity: High Availability: High

Framework Compliance

🎯 Framework Alignment:
ISO 27001 NIST CSF 2.0 CIS Controls


🌐 IMF Integration in the Security Architecture

Effective: 2026-04-24 Β· Authoritative hub: analysis/imf/README.md Β· analysis/imf/agentic-integration.md Β· analysis/imf/indicators-inventory.json Β· analysis/imf/data-dictionary.md Β· .github/aw/ECONOMIC_DATA_CONTRACT.md

IMF trust boundary (current state)

flowchart LR
    subgraph Trusted["Trust Boundary β€” Riksdagsmonitor build/news pipeline"]
        Worker[News-* workflow worker Β· Node 26 Β· tsx scripts/imf-fetch.ts]
        Cache[(analysis/imf/ + analysis/daily/*/economic-data.json Β· vintage-tagged Β· SHA-256 pinned)]
        Audit[Workflow logs Β· news-* runs]
    end
    subgraph Public["Public-Internet Β· IMF Open APIs (Datamapper unauth Β· SDMX subscription-key)"]
        Datamapper[www.imf.org/external/datamapper/api/v1]
        SDMX[api.imf.org]
    end
    Worker -- HTTPS Β· TLS 1.3 --> Datamapper
    Worker -- HTTPS Β· TLS 1.3 --> SDMX
    Datamapper -. JSON payload .-> Worker
    SDMX -. SDMX-JSON payload .-> Worker
    Worker --> Cache
    Worker --> Audit

IMF data classification

AttributeValueAuthority
ConfidentialityPUBLICIMF data is public macro statistics
Integrity targetHIGHSHA-256 pin + vintage-label + supersedes-chain
Availability targetSTANDARDDegrades to last cached vintage on outage
RTO24hBCPPlan Β§IMF
RPON/ARead-only public data
GDPR scopeOUTNo personal data; DPIA short-circuit
LicenceAttribution requiredAuto-emitted in article footer

IMF-specific security controls

ControlImplementationFramework mapping
Egress allow-listwww.imf.org, api.imf.org onlyISO A.13.1 / NIST PR.AC-5 / CIS 13.4
Payload integritySHA-256 pin per (dataflow, indicator, country, vintage)ISO A.8.2 / NIST PR.DS-6 / CIS 3.11
Vintage disciplineReject >6-month payloads without staleness annotationISO A.8.10 / NIST PR.DS-1 / CIS 3.5
Rate-limit guard≀30 req/min; exponential back-offISO A.13.1 / NIST PR.AC-4 / CIS 4.7
Provenance auditeconomicProvenance block in every article front-matterISO A.5.28 / NIST DE.AE-3 / CIS 8.2
Supply-chainScripts in-repo; reviewed; harden-runner egress auditISO A.5.21 / NIST PR.IP-2 / CIS 16.11

Egress hosts (allow-list): www.imf.org (Datamapper REST Β· WEO/FM, unauthenticated), api.imf.org (SDMX 3.0 REST Β· IFS/BOP/DOTS/GFS/PCPS/ER/MFS_IR/MFS_PR, subscription-key authenticated via the Azure APIM Ocp-Apim-Subscription-Key header / IMF_SDMX_SUBSCRIPTION_KEY secret). Both HTTPS-only; payloads are public macro statistics with no PII.

Canonical rule. Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See ECONOMIC_DATA_CONTRACT.md v2.1 for the banned-phrase list and vintage discipline (>6 mo β†’ annotation).


πŸ›οΈ Statskontoret Security Architecture

Statskontoret is a read-only public-data integration using in-repository TypeScript code and the existing npm dependency graph. It is intentionally not configured as an MCP server; workflows invoke tsx scripts/statskontoret-fetch.ts via the bash tool.

Control areaStatskontoret control
Network egressAllow only HTTPS to www.statskontoret.se for this provider.
AuthenticationNone required; no tokens or secrets transmitted.
Input validationResource classification, URL normalisation, HTML entity decoding, XLSX workbook structure checks, CSV ZIP file filtering.
IntegrityPersisted JSON plus .meta.json provenance sidecars with source/dataset/artifact/fetch timestamp.
Availability15s client timeout and optional-enrichment fallback to cached artifacts.
Supply chainParser code is local TypeScript; ZIP/XLSX parsing uses jszip under npm lock/SBOM and advisory review.
PrivacyPublic authority and aggregate budget records only; no private-person or credential data.

Security classification: PUBLIC / High Integrity / Medium-High Availability. Mapped controls: ISO 27001 A.5.23 (cloud/service use), A.8.9 (configuration management), A.8.12 (data leakage prevention by design), A.8.20 (network security), NIST CSF 2.0 ID.IM / PR.DS / PR.PS, CIS Controls 4, 8, 12 and 16.


πŸ•΅οΈ Political Intelligence Security Surface (v0.9.40)

This section documents the security controls governing the AI-driven political intelligence analysis pipeline.

Overview

Riksdagsmonitor's political intelligence pipeline introduces a unique attack surface: 39 analysis templates and 18 methodologies processed by AI agents (Claude Sonnet 4.6) within 14 agentic workflows. These templates define the analytical structure that shapes all output articles. A compromise of the template content or a bypass of the structural validation gate could lead to biased, fabricated, or manipulated political intelligence output.

Trust Model

flowchart TD
    subgraph "Trusted Control Plane (Git-reviewed)"
        TMPL["39 Analysis Templates<br/>analysis/templates/*.md"]
        METH["18 Methodologies<br/>analysis/methodologies/*.md"]
        GATE["Analysis Gate<br/>scripts/agentic/analysis-gate.ts"]
        REFL["Methodology Reflection Validator<br/>scripts/validate-methodology-reflection.ts"]
        PROMPT["Prompt Modules<br/>.github/prompts/"]
    end
    subgraph "AI Agent Runtime (Sandboxed)"
        AGENT["Claude Sonnet 4.6<br/>(14 agentic workflows)"]
    end
    subgraph "Output (PR-Gated)"
        ART["Analysis Artifacts<br/>analysis/daily/YYYY-MM-DD/"]
        NEWS["News Articles<br/>content/"]
    end
    TMPL --> AGENT
    METH --> AGENT
    PROMPT --> AGENT
    AGENT --> ART
    ART --> GATE
    ART --> REFL
    GATE -->|pass| NEWS
    GATE -->|fail| REJECT["❌ Workflow fails"]

Security Control: Analysis Gate (Checks 1–9b)

Implementation: scripts/agentic/analysis-gate.ts Β· Specification: .github/prompts/05-analysis-gate.md

The analysis gate is a fail-closed structural-integrity control that validates all 23 required analysis artifacts before any article content proceeds to PR review. It operates as Layer 0 of the safe-output pipeline (pre-sanitisation validation).

CheckControlWhat It ValidatesBypass Resistance
1Artifact existenceAll 23 files present and non-emptyTyped filename set; recursive scan; size > 0
2Per-document coverageFamily E vs manifestdok_id regex validation; cross-ref to artifact inventory
3No stub placeholdersRecursive .md scan for known stub phrasesPattern list version-controlled; collectMdFilesRecursive()
4Evidence citationsSWOT + significance scoring contain evidenceEVIDENCE_PATTERN regex; real source IDs required
5Mermaid diagramsColour config + node labels in diagramsMERMAID_NODE_RE matches [], (), {} label shapes
6Pass-2 evidenceMtime or pass1/ snapshot diffPASS2_MTIME_THRESHOLD_MS = 180_000 (3 min)
7Family C structureStrategic extension artifacts well-formedTyped interface validation
8Family D structureElectoral & domain lens artifacts well-formedTyped interface validation
9PIR status sidecarPriority Intelligence Requirements file presentJSON schema check
9bStatskontoret evidenceImplementation-feasibility references StatskontoretRECOGNISED_AGENCIES list (12 entries)

Test coverage: Per-check suites in tests/agentic/gate-checks/, shared-helper suites in tests/agentic/gate-shared/, and orchestrator scenarios in tests/agentic/analysis-gate-integration.test.ts.

Failure mode: If any check fails, the entire workflow run fails β€” no article is generated and no PR is created. This prevents partial or manipulated output from reaching the human-review gate.

Security Control: Methodology-Reflection Validator

Implementation: scripts/validate-methodology-reflection.ts

Validates that each methodology-reflection.md artifact meets the integrity-of-process contract:

ValidationPurpose
Required H2 sections (8)Ensures complete analytical reflection
Minimum byte threshold (scaled by period-scope)Prevents trivial/empty reflections
Confidence labels ([HIGH], [MEDIUM], [LOW])Enforces uncertainty acknowledgement
Upstream-watchpoint reconciliation table (Tier-C)Cross-validates upstream data references

Security Control: Political Classification

All political data (MPs, votes, parties, speeches) is classified under the Hack23 CLASSIFICATION framework:

  • Confidentiality: Public (all source data is from open government APIs)
  • Integrity: HIGH β€” incorrect political intelligence could damage reputations or mislead citizens
  • Availability: HIGH β€” platform is a public accountability tool

Security Control: Horizon Stratification Boundaries

Horizon stratification limits which data classes can inform which forecast band:

Horizon BandPermitted Data SourcesProhibited
T+72h (short-term)Riksdag calendar, vote records, committee schedulesFuture economic projections
T+7d (week-ahead)Parliamentary schedule, government press releasesSpeculative coalition analysis
T+30d (month-ahead)IMF WEO projections, SCB statistics, government proposalsElection-cycle scenarios
T+90d – T+365d (quarter/year)All economic data, trend analysis, historical patternsN/A
T+1460d (election-cycle)Full scenario trees, coalition modellingN/A β€” all sources permitted

Control: The prompt modules in .github/prompts/ encode horizon constraints. The analysis gate validates artifact structure matches the declared article type (from analysis/article-types.json).

Security Control: OSINT Tradecraft Compliance

AI-generated content must comply with OSINT operational standards:

  • Source attribution: Every factual claim traces to a dok_id (Riksdag document ID) or named data source
  • No single-source conclusions: Significance scoring requires multiple evidence citations (Check 4)
  • Confidence labelling: All analytical claims carry [HIGH]/[MEDIUM]/[LOW] confidence markers
  • No speculation without disclosure: Horizon constraints prevent presenting projections as facts

πŸ—οΈ gh-aw Platform Security Architecture (Three-Layer Model)

Reference: gh-aw Architecture Documentation Β· WORKFLOWS.md Β§ gh-aw Security Architecture

Riksdagsmonitor's 14 agentic news workflows execute within GitHub Agentic Workflows (gh-aw) β€” a purpose-built security runtime that enforces defense-in-depth through three independently enforceable trust layers. Each layer operates autonomously: a compromise of one layer does not bypass the protections of subsequent layers.

πŸ”’ Layer 1: Substrate-Level Trust (Infrastructure Isolation)

The gh-aw substrate provides hardware-enforced security boundaries that no agent code can override:

flowchart TD
    subgraph VM["πŸ–₯️ Ephemeral Runner VM"]
        subgraph Container["🐳 Agent Container (chroot)"]
            AGENT["πŸ€– AI Agent Process"]
            FS["πŸ“ Read-only Filesystem"]
        end
        subgraph AWF["🧱 Agent Workflow Firewall"]
            IPTABLES["iptables (REDIRECT β†’ Squid)"]
            SQUID["Squid Proxy (domain allowlist)"]
        end
        subgraph MCPGW["🐳 MCP Gateway"]
            MCP1["riksdag-regering<br/>(HTTP hosted)"]
            MCP2["scb<br/>(node:26-alpine)"]
            MCP3["world-bank<br/>(node:26-alpine)"]
        end
        PROXY["πŸ”Œ API Proxy<br/>(token-scoped)"]
    end

    AGENT -->|"HTTP/HTTPS"| IPTABLES
    IPTABLES -->|"redirect"| SQUID
    SQUID -->|"allowlisted only"| INTERNET["🌐 Internet<br/>(17 domains)"]
    SQUID -->|"non-allowlisted"| DROP["❌ DROP"]
    AGENT -->|"MCP calls"| MCPGW
    AGENT -->|"GitHub API"| PROXY

    style VM fill:#e3f2fd,stroke:#1565c0,stroke-width:2px
    style AWF fill:#1a237e,color:#fff
    style Container fill:#e8f5e9,stroke:#2e7d32
    style DROP fill:#b71c1c,color:#fff
ComponentSecurity FunctionEnforcement Mechanism
πŸ–₯️ Ephemeral Runner VMComplete isolation per workflow run; no state persists between runsGitHub-managed infrastructure; VM destroyed after run completes
🧱 Agent Workflow Firewall (AWF)Network containment β€” all egress filtered through domain allowlistiptables REDIRECT rules route HTTP(S) through Squid proxy; DROP policy for non-matching traffic
🐳 MCP GatewayTool isolation β€” each MCP server runs in a separate Docker container with its own network namespacePer-container: tool allowlisting, network controls, secret injection via environment variables only
πŸ”Œ API ProxyToken scoping β€” GitHub API access limited to declared permissionsToken automatically scoped to workflow-declared permissions: block; no privilege escalation possible

Riksdagsmonitor substrate configuration:

  • 17 allowlisted egress domains (see WORKFLOWS.md Β§ Network egress allow-list)
  • 3 containerised MCP servers (riksdag-regering via HTTP, scb + world-bank in node:26-alpine containers)
  • 5 gh-aw built-in tools (github, agentic-workflows, bash, playwright, repo-memory)
  • Read-only filesystem for the agent process; writes only through SafeOutputs artifact buffer

βš™οΈ Layer 2: Configuration-Level Trust (Compile-Time Enforcement)

Security enforced during gh aw compile before any workflow can execute:

flowchart LR
    MD[".md source<br/>(human-authored)"] -->|"gh aw compile"| VALIDATE

    subgraph VALIDATE["βš™οΈ Compile-Time Security Checks"]
        S1["πŸ“‹ Schema Validation<br/>(structure, permissions, triggers)"]
        S2["πŸ” Expression Safety<br/>(allowlisted patterns only)"]
        S3["πŸ“Œ SHA Pinning<br/>(immutable action refs)"]
        S4["πŸ” Scanner Suite<br/>(actionlint + zizmor + poutine)"]
        S5["πŸ“ Size Cap<br/>(≀ 550 lines per prompt)"]
    end

    VALIDATE -->|"pass"| LOCK[".lock.yml<br/>(hardened, executable)"]
    VALIDATE -->|"fail"| REJECT["❌ Compilation rejected"]

    style VALIDATE fill:#004d40,color:#fff
    style REJECT fill:#b71c1c,color:#fff
ControlWhat It PreventsDetection Method
πŸ“‹ Schema ValidationMalformed workflows, excessive permissions, unsafe trigger patternsJSON Schema validation against gh-aw workflow specification
πŸ” Expression AllowlistingTemplate injection via ${{ }} in shell commandsStatic analysis of all expression usage; only safe patterns permitted
πŸ“Œ Action SHA PinningSupply chain attacks via tag-mutable action referencesAll uses: directives must reference full commit SHA (40 hex chars)
πŸ” Security ScannersKnown workflow anti-patterns, vulnerable configurationsactionlint (syntax + security), zizmor (GitHub-specific), poutine (supply chain)
πŸ“ Prompt Module Size CapPrompt injection via oversized modules; unreviewed contentHard 550-line limit per .github/prompts/*.md file
πŸ”„ Lock File IntegrityManual tampering with compiled workflows.lock.yml regenerated from .md on every compile; manual edits overwritten

Riksdagsmonitor compile-time controls:

  • All 14 agentic workflows compiled via compile-agentic-workflows.yml
  • 100% action SHA pinning across all 54 workflow files
  • Prompt modules capped at 550 lines (enforced in CI)
  • PR-gated: .lock.yml diff reviewed alongside .md source changes

πŸ›‘οΈ Layer 3: Plan-Level Trust (Runtime Execution Controls)

Controls that govern what the AI agent can accomplish during execution:

flowchart TD
    subgraph AGENT_JOB["πŸ€– Agent Job (read-only permissions)"]
        AGENT["AI Agent"] -->|"produces"| ARTIFACTS["πŸ“¦ Buffered Artifacts"]
    end

    subgraph DETECTION["πŸ•΅οΈ Threat Detection Job (separate)"]
        DL["Download artifacts"]
        AI_SCAN["AI security analysis<br/>(secret leaks, malicious patches)"]
        CONTENT["Content sanitisation<br/>(@mention, URI, HTML tags)"]
        SECRETS["Secret redaction scan"]
        DL --> AI_SCAN --> CONTENT --> SECRETS
    end

    subgraph SAFE_OUTPUTS["πŸ“€ Safe Output Jobs"]
        PR_CREATE["create_pull_request"]
        COMMENT["add_comment"]
        ISSUE["create_issue"]
    end

    ARTIFACTS -->|"workflow artifacts"| DL
    SECRETS -->|"PASS verdict"| SAFE_OUTPUTS
    SECRETS -->|"FAIL verdict"| BLOCKED["❌ All outputs blocked"]

    style AGENT_JOB fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px
    style DETECTION fill:#fff3e0,stroke:#e65100,stroke-width:2px
    style SAFE_OUTPUTS fill:#e3f2fd,stroke:#1565c0,stroke-width:2px
    style BLOCKED fill:#b71c1c,color:#fff

πŸ“€ SafeOutputs β€” Permission Separation

PrincipleImplementation
Agent has no write permissionsAgent job's permissions: block is read-only; cannot push commits, create PRs, or modify issues directly
Writes are bufferedAll agent output stored as workflow artifacts (not direct GitHub API calls)
Separate execution contextSafe output jobs (create_pull_request, add_comment, create_issue) run in distinct jobs with write permissions
Threat detection gates outputsDetection job must pass before any safe output job can execute

πŸ•΅οΈ Threat Detection Pipeline

CheckWhat It DetectsAction on Detection
πŸ”‘ Secret leak scanningAPI keys, tokens, credentials in agent outputBlock all safe outputs; redact detected secrets
πŸ› Malicious patch detectionCode changes that introduce vulnerabilities or backdoorsBlock PR creation; alert maintainers
πŸ“œ Policy violationOutput exceeds size limits, contains prohibited content, violates content policyBlock affected outputs
🏷️ @mention neutralisationAgent output containing GitHub @username mentions that could spam usersConvert @user β†’ @​user (zero-width space injection)
πŸ”— URI filteringNon-HTTPS URLs, untrusted domain linksStrip or convert to safe references
🏷️ Bot trigger protectionContent that could trigger other bots/automations (e.g., /deploy, @dependabot merge)Neutralise command patterns

πŸ”’ Integrity Filtering

Controls which existing GitHub content the agent can read, based on trust level:

Trust LevelContent AccessExample
Merged (highest)Full accessMerged PR content, main branch files
ApprovedRead accessApproved but unmerged PR content
UnapprovedRestrictedPending PR content β€” limited context
NoneBlockedExternal/unknown source content

πŸ”‘ Secret Redaction

Pre-upload scanning of the /tmp/gh-aw working directory:

  • Automatic detection of known secret patterns (API keys, tokens, passwords)
  • Partial visibility format: first 3 characters + *** (e.g., ghp***)
  • Scanning occurs before artifact upload β€” secrets never reach artifact storage
  • Applied to all 14 agentic workflow runs automatically

πŸ“Š gh-aw + Riksdagsmonitor Combined Security Posture

The following table maps how gh-aw's three-layer model integrates with Riksdagsmonitor's own security controls to create a comprehensive defense:

gh-aw Layergh-aw ControlRiksdagsmonitor ExtensionCombined Effect
πŸ”’ L1 SubstrateAWF egress firewall17-domain allowlist (political data sources only)Agent cannot exfiltrate data to arbitrary hosts
πŸ”’ L1 SubstrateMCP container isolation3 containerised servers (scb, world-bank, riksdag)Tool compromise contained to single container
βš™οΈ L2 ConfigSchema validationcompile-agentic-workflows.yml CI gateInvalid workflows cannot reach main branch
βš™οΈ L2 ConfigSHA pinning100% pinning + Dependabot version updatesNo supply chain tag-swap attacks possible
πŸ›‘οΈ L3 PlanSafeOutputsFive-layer output validator (checks 1–9b + methodology reflection)AI output structurally validated before PR creation
πŸ›‘οΈ L3 PlanThreat detectionAnalysis gate + OSINT tradecraft complianceDomain-specific validation beyond generic security
πŸ›‘οΈ L3 PlanContent sanitisationrehype-sanitize + Mermaid strict mode + URI filteringNo XSS, no script injection, no malicious links
πŸ›‘οΈ L3 PlanSecret redactionAutomatic pre-upload scanNo credentials leaked in analysis artifacts or articles

πŸ” Five-Layer Safe-Output Security Model (Detailed)

Cross-reference: THREAT_MODEL.md Β§TB-PI series Β· .github/workflows/README.md Β· gh-aw Architecture

The five-layer model governs all 14 agentic news workflows. Each layer is independent β€” a bypass of one layer does not compromise the subsequent layers. This model extends gh-aw's Layer 3 (Plan-Level Trust) with domain-specific political intelligence validation.

flowchart TD
    AGENT["AI Agent Output"] --> L1["Layer 1: Sanitisation<br/>(rehype-sanitize allow-list)"]
    L1 --> L2["Layer 2: Schema Validation<br/>(artifact structure + YAML front-matter)"]
    L2 --> L3["Layer 3: Policy Check<br/>(analysis gate checks 1–9b)"]
    L3 --> L4["Layer 4: Human Review<br/>(mandatory PR approval)"]
    L4 --> L5["Layer 5: Merge & Deploy<br/>(branch protection rules)"]
    L1 -->|"blocks <script>, <iframe>, handlers"| FAIL["❌ Rejected"]
    L2 -->|"missing fields / malformed YAML"| FAIL
    L3 -->|"gate check failure"| FAIL
    L4 -->|"reviewer rejects"| FAIL
LayerControlBypass ResistanceFailure Mode
1. Sanitisationrehype-sanitize allow-list blocks <script>, <iframe>, inline event handlers, javascript: URIsAllow-list approach (not deny-list); Mermaid rendered in securityLevel: 'strict'Malicious HTML stripped silently
2. Schema ValidationYAML front-matter schema; artifact file structure; 23-file completenessTyped TypeScript validators; JSON schemaWorkflow fails with validation error
3. Policy CheckAnalysis gate (checks 1–9b); methodology-reflection validatorFail-closed; 88 unit tests; no partial passWorkflow fails β€” no PR created
4. Human ReviewMandatory PR approval by repository maintainerBranch protection rule; CODEOWNERS; cannot self-approvePR blocked until approved
5. Merge & DeploySigned commits; CI must pass; deploy via OIDC (no stored creds)GitHub branch protection; SLSA provenanceMerge blocked if CI fails

Egress Firewall (Squid + iptables)

All agentic workflows execute behind a Squid proxy with domain allow-list enforcement and iptables rules that DROP all non-allowlisted outbound connections:

  • Allowlisted domains: riksdagen.se, www.riksdagen.se, data.riksdagen.se, regeringen.se, www.regeringen.se, riksdag-regering-ai.onrender.com, api.scb.se, api.worldbank.org, www.imf.org, api.imf.org, data.imf.org, github.com, raw.githubusercontent.com, hack23.github.io, hack23.com, www.hack23.com, riksdagsmonitor.com
  • Effect: Tool-call exfiltration attempts are blocked at the network layer β€” the agent cannot reach arbitrary external hosts
  • Monitoring: Squid access logs + step-security/harden-runner egress audit

MCP Server Token Scoping

MCP ServerAuthenticationScope
riksdag-regeringHTTPS (anonymous public API)Read-only parliamentary data
scbContainer-isolated; anonymousRead-only statistics
world-bankContainer-isolated; anonymousRead-only indicators
githubPAT (scoped to repository)Repo read + PR write
filesystemLocal (no network)Working directory only
memoryLocal (no network)Session-scoped KV store
sequential-thinkingLocal (no network)No external access
playwrightLocal (headless)No navigation outside allowlist

Prompt Injection Mitigation Controls

Attack VectorMitigationEffectiveness
Indirect injection via Riksdag document titlesMCP returns structured JSON (not raw HTML); titles are data fields, not executable promptsHIGH β€” structured data pipeline
Poisoned methodology fileVersion-controlled in Git; PR-reviewed; immutable once mergedHIGH β€” Git integrity
Template manipulationTemplates in analysis/templates/ are PR-reviewed; changes require CEO approval per Change ManagementHIGH β€” change control
Cross-session data leakageEach workflow run is stateless; repo-memory branch is append-only and reviewedMEDIUM β€” review-dependent
Model hallucination as injection vectorAnalysis gate checks evidence citations; mandatory dok_id validationHIGH β€” structural validation

🌐 External Data Provider Trust Model (Consolidated)

ProviderTransportAuthSchema ValidationCache IntegrityTamper DetectionTrust Level
IMF (Datamapper + SDMX)HTTPS/TLS 1.3AnonymousDatamapperResponse shape + finite-numeric + year parse-guardanalysis/data/imf/{indicator}/{country}.json.meta.json sidecars (vintage, timestamp, hash)PUBLIC / Read-only
SCB (MCP container)HTTPS to api.scb.seAnonymousPxWeb JSON-stat2 schemaanalysis/data/scb/{tableId}.json.meta.json sidecarsPUBLIC / Read-only
World Bank (MCP container)HTTPS to api.worldbank.orgAnonymousJSON response schemaanalysis/data/worldbank/{indicator}/{country}.json.meta.json sidecarsPUBLIC / Read-only
Riksdag APIHTTPS to data.riksdagen.seAnonymousXML/JSON schema (dok_id format)N/A (live API)dok_id cross-validationPUBLIC / Read-only
RiksbankHTTPSAnonymousCSV/JSON schemaanalysis/data/riksbank/.meta.json sidecarsPUBLIC / Read-only
StatskontoretHTTPS to www.statskontoret.seAnonymousHTML/XLSX structure checksanalysis/data/statskontoret/.meta.json sidecarsPUBLIC / Read-only
RiksrevisionenHTTPSAnonymousReport structure validationanalysis/data/rir/.meta.json sidecarsPUBLIC / Read-only

Common controls across all providers:

  • TLS/HTTPS only (no plaintext)
  • Read-only data flow (inbound only; no credentials transmitted)
  • Git-tracked diffs on all cached data (PR review required for changes)
  • Graceful fallback to cached snapshots on upstream outage
  • No PII in any upstream data source

πŸ”— Hack23 Ecosystem

🌐 Platforms πŸ“¦ Open-Source Projects πŸ›‘οΈ Governance & Standards
πŸ—³οΈ Riksdagsmonitor β€” Swedish Parliament intelligence
πŸ‡ͺπŸ‡Ί EU Parliament Monitor β€” European coverage
πŸ•΅οΈ Citizen Intelligence Agency β€” political-data engine
🌐 Hack23 AB β€” corporate site
πŸ“° Hack23 Blog β€” engineering & policy
πŸ’Ό Hack23 on LinkedIn
πŸ—³οΈ Hack23/riksdagsmonitor
πŸ•΅οΈ Hack23/cia
πŸ‡ͺπŸ‡Ί Hack23/euparliamentmonitor
πŸ”Œ Hack23/european-parliament-mcp
βœ… Hack23/cia-compliance-manager
πŸ₯‹ Hack23/black-trigram
🏠 Hack23/homepage
πŸ›‘οΈ Hack23 ISMS-PUBLIC β€” public ISMS
πŸ”’ Information Security Policy
πŸ€– AI Policy
πŸ§ͺ Secure Development Policy
🎯 Threat Modeling Policy
⚠️ Vulnerability Management
🏷️ Classification Framework

OpenSSF Best Practices OpenSSF Scorecard ISO 27001:2022 NIST CSF 2.0 CIS Controls v8.1 Apache 2.0

πŸ—³οΈ Empower citizens Β· πŸ” Strengthen democratic accountability Β· πŸ•΅οΈ Illuminate the political process

Β© 2008–2026 Hack23 AB (Org.nr 559534-7807) Β· Maintainer: James Pether SΓΆrling, CISSP CISM