@bernierllc/validators-compliance

Security compliance validation for regulated industries - composite validator combining secret detection, header policies, and cryptographic parameter validation.

Installation

npm install @bernierllc/validators-compliance

Overview

A composite domain validator that orchestrates multiple primitive validators to provide comprehensive security compliance validation:

• Secret Pattern Detection - Detects hardcoded secrets, API keys, passwords, and sensitive data
• HTTP Header Policy - Validates security headers (CSP, HSTS, X-Frame-Options, etc.)
• Cryptographic Parameters - Validates encryption algorithms, key sizes, and crypto configurations

Designed for regulated industries requiring GDPR, HIPAA, SOX, and other compliance standards.

Usage

Basic Validation

import { validateCompliance } from '@bernierllc/validators-compliance';
import { createSharedUtils } from '@bernierllc/validators-utils';

const utils = createSharedUtils();

const content = {
  files: [
    {
      path: 'src/config.ts',
      content: `
        const apiKey = "sk-1234567890abcdef";
        const password = "admin123";
      `,
      language: 'typescript'
    }
  ],
  headers: {
    'content-security-policy': "default-src 'self'",
    'x-frame-options': 'DENY',
  },
  config: {
    encryption: {
      algorithm: 'aes-256-gcm',
      keySize: 256,
    },
  },
};

const result = await validateCompliance(content, {}, utils);

if (result.problems.length === 0) {
  console.log('Content is compliant!');
} else {
  console.log('Compliance issues found:');
  result.problems.forEach(problem => {
    console.log(`  - ${problem.message} [${problem.severity}]`);
  });
}

Configured Validator

import { createComplianceValidator } from '@bernierllc/validators-compliance';
import { createSharedUtils } from '@bernierllc/validators-utils';

const utils = createSharedUtils();

// Create validator with specific configuration
const validator = createComplianceValidator({
  security: {
    detectSecrets: true,      // Enable secret detection
    validateHeaders: true,     // Enable header validation
    validateCrypto: true,      // Enable crypto validation
  },
});

// Get validator metadata
const meta = validator.getMeta();
console.log(`Validator: ${meta.name}`);
console.log(`Enabled rules: ${meta.enabledRules.join(', ')}`);

// Validate content
const content = {
  files: [
    { path: 'src/app.ts', content: 'const x = 1;' }
  ],
};

const result = await validator.validate(content, utils);

Selective Validation

// Only validate secrets and headers, skip crypto
const result = await validateCompliance(content, {
  security: {
    detectSecrets: true,
    validateHeaders: true,
    validateCrypto: false,    // Disabled
  },
}, utils);

API

validateCompliance(content, options?, utils?)

Validates compliance content against configured rules.

Parameters:

• content: ComplianceContent - Content to validate
  • files?: Array<{ path: string; content: string; language?: string }> - Source files to validate
  • headers?: Record<string, string> - HTTP headers to validate
  • config?: Record<string, unknown> - Configuration object to validate
  • urls?: string[] - URLs to validate (future use)
  • html?: string - HTML content to validate (future use)
• options?: ComplianceValidationOptions - Validation options
  • severity?: 'error' | 'warn' | 'info' - Severity level for issues
  • security? - Security validation options
    • detectSecrets?: boolean - Enable secret detection (default: true)
    • validateHeaders?: boolean - Enable header validation (default: true)
    • validateCrypto?: boolean - Enable crypto validation (default: true)
  • privacy? - Privacy validation options (planned)
  • accessibility? - Accessibility validation options (planned)
  • license? - License validation options (planned)
• utils?: SharedUtils - Shared validation utilities

Returns: Promise<ValidationResult>

• problems: Problem[] - Array of validation issues found
• stats - Validation statistics
  • targets: number - Number of targets validated
  • durationMs: number - Validation duration in milliseconds
  • rulesApplied: string[] - Rules that were applied

createComplianceValidator(options?)

Creates a configured compliance validator instance.

Parameters:

• options?: ComplianceValidationOptions - Validator configuration

Returns: Validator instance with:

• validate(content, utils?) - Validate method
• getMeta() - Get validator metadata

Compliance Rules

Security Rules

compliance/security/secret-patterns

Detects hardcoded secrets and sensitive data:

• API keys (OpenAI, AWS, Stripe, etc.)
• Private keys (RSA, SSH, TLS)
• Passwords and credentials
• JWT tokens
• Database connection strings
• High entropy strings

compliance/security/header-policy

Validates HTTP security headers:

• Content-Security-Policy
• Strict-Transport-Security
• X-Frame-Options
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy

compliance/security/crypto-parameters

Validates cryptographic configurations:

• Encryption algorithms (AES-256, RSA-2048+)
• Key sizes and strength
• Hashing algorithms (SHA-256+)
• TLS/SSL configurations

Configuration

Default Options

const DEFAULT_OPTIONS = {
  severity: 'error',
  security: {
    detectSecrets: true,
    validateHeaders: true,
    validateCrypto: true,
  },
  privacy: {
    validateTracking: true,  // Planned
  },
  accessibility: {           // Planned
    validateNameRole: true,
    validateContrast: true,
    validateFocusOrder: true,
  },
  license: {                 // Planned
    validateHeaders: true,
  },
};

Composed Validators

This package composes the following primitive validators:

• @bernierllc/validators-secret-patterns - Secret detection
• @bernierllc/validators-header-policy - HTTP header validation
• @bernierllc/validators-crypto-parameters - Cryptographic validation

Future Enhancements

Planned additions:

• Privacy validation (tracking parameters, PII detection)
• Accessibility validation (WCAG compliance)
• License validation (header presence, SPDX identifiers)

Integration Status

• Logger integration: not-applicable - Pure validation package with no runtime logging needs. Validators return structured Problem objects for consumers to log.
• Docs-Suite: ready - Complete markdown documentation with API reference and examples
• NeverHub integration: not-applicable - Stateless validator with no service discovery or event bus requirements. Validators are pure functions called synchronously.

License

Copyright (c) 2025 Bernier LLC. All rights reserved.

See Also

• @bernierllc/validators-secret-patterns - Secret pattern detection
• @bernierllc/validators-header-policy - HTTP header validation
• @bernierllc/validators-crypto-parameters - Crypto validation
• @bernierllc/validators-core - Validator framework