HighPR-scope

Validate new/updated dependencies for CVEs and supply-chain risk

When a PR changes dependency manifests (e.g., package.json, yarn.lock, requirements.txt, composer.json), check for known vulnerabilities and risky packages. - If an OSV/SCA MCP is available: query it for the new package versions and flag recent CVEs. - Otherwise: require evidence (audit output, advisory links) in the PR description. Also flag suspicious packages (typosquats, low-maintenance critical libs, unexpected transitive jumps) and require lockfile updates.

Add to Mesrai Open workspace

Why this matters

Prevents supply-chain attacks and avoids introducing known-vulnerable versions.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

Adds new package with no vetting; lockfile not updated.

Prefer

Adds package X pinned; OSV check clean; lockfile updated; rationale included.

More snippets

Bad

package.json changed, no audit/SCA evidence

Good

OSV/SCA result + pinned versions + updated lockfile

Related rules

From the same buckets as this rule.

Critical
Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys
Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.
compliance-hipaasecurity-hardening+2
High
De-identify analytics and block PHI egress to third parties
Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.
compliance-hipaaprivacy-pii+2
High
Disallow per-package registries and proxies
Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.
monorepo-hygienedependency-supply-chain+1

Validate new/updated dependencies for CVEs and supply-chain risk

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

Adds new package with no vetting; lockfile not updated.

Prefer

Adds package X pinned; OSV check clean; lockfile updated; rationale included.

More snippets

Bad

package.json changed, no audit/SCA evidence

Good

OSV/SCA result + pinned versions + updated lockfile

Related rules

From the same buckets as this rule.

Critical

Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys

Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.

compliance-hipaasecurity-hardening+2

High

De-identify analytics and block PHI egress to third parties

Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

compliance-hipaaprivacy-pii+2

High

Disallow per-package registries and proxies

Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.

monorepo-hygienedependency-supply-chain+1