LowFile-scopeScala Plug & play

Pin FIPS-grade crypto deps and produce SBOM

Pin cryptography libraries to vetted versions (e.g., BouncyCastle FIPS) and generate a CycloneDX SBOM as part of the build. Reject PRs introducing floating or insecure versions. (PCI DSS 4.0 Req. 6 & supply chain)

Add to Mesrai Open workspace

Why this matters

Pinned, auditable dependencies reduce the chance of weak crypto or supply chain attacks.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

// build.sbt — ❌ floating/insecure
libraryDependencies += "org.bouncycastle" % "bcpkix-jdk15on" % "+"

Prefer

// build.sbt — ✅ pinned and FIPS-capable
libraryDependencies ++= Seq(
 "org.bouncycastle" % "bc-fips" % "1.0.2.4",
 "org.cyclonedx" %% "cyclonedx-core-java" % "9.0.4"
)
ThisBuild / versionScheme := Some("strict")

More snippets

Bad

%% "bcpkix-jdk15on" % "latest.integration"

Good

% "bc-fips" % "1.0.2.4"

Related rules

From the same buckets as this rule.

Critical
Disallow CVV/CVC persistence anywhere
Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)
compliance-pci-dsssecurity-hardening+1
Critical
Mask PAN and exclude SAD from logs
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
compliance-pci-dssobservability-logging+1
High
Block real PAN/SAD in fixtures and test data
Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)
compliance-pci-dsstesting-quality+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

// build.sbt — ❌ floating/insecure
libraryDependencies += "org.bouncycastle" % "bcpkix-jdk15on" % "+"

Prefer

// build.sbt — ✅ pinned and FIPS-capable
libraryDependencies ++= Seq(
 "org.bouncycastle" % "bc-fips" % "1.0.2.4",
 "org.cyclonedx" %% "cyclonedx-core-java" % "9.0.4"
)
ThisBuild / versionScheme := Some("strict")

More snippets

Bad

%% "bcpkix-jdk15on" % "latest.integration"

Good

% "bc-fips" % "1.0.2.4"

Related rules

From the same buckets as this rule.

Critical

Disallow CVV/CVC persistence anywhere

Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)

compliance-pci-dsssecurity-hardening+1

Critical

Mask PAN and exclude SAD from logs

Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.

compliance-pci-dssobservability-logging+1

High

Block real PAN/SAD in fixtures and test data

Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)

compliance-pci-dsstesting-quality+1