From 05fc612be644b5f484ecc1c50df12616c7e3a958 Mon Sep 17 00:00:00 2001
From: uday Korlimarla <222185270+udayk-port@users.noreply.github.com>
Date: Fri, 5 Sep 2025 16:28:10 +1000
Subject: [PATCH 1/4] guides/PCI-DSS-Scorecard-Template
---
.../all/setup-pci-dss-code-compliance.md | 695 ++++++++++++++++++
1 file changed, 695 insertions(+)
create mode 100644 docs/guides/all/setup-pci-dss-code-compliance.md
diff --git a/docs/guides/all/setup-pci-dss-code-compliance.md b/docs/guides/all/setup-pci-dss-code-compliance.md
new file mode 100644
index 0000000000..e5a4912ebd
--- /dev/null
+++ b/docs/guides/all/setup-pci-dss-code-compliance.md
@@ -0,0 +1,695 @@
+---
+displayed_sidebar: null
+description: PCI DSS Code security scorecard
+---
+
+# PCI DSS Code Security Scorecard
+
+The **PCI DSS Code Security Scorecard** is designed to continuously track compliance with PCI DSS requirements by leveraging code scans and vulnerability data.
+It helps teams enforce secure coding practices, identify weaknesses early, and measure progress towards PCI compliance maturity.
+
+This scorecard evaluates repositories and services based on:
+- Scan recency
+- Severity of open vulnerabilities
+- Cryptographic hygiene
+- Exposure of public-facing assets
+- Secure dependency management
+
+# Dependencies
+- Depends on [OWASP Top 10 Scorecard](/guides/all/owasp-top-10-scorecard) to make use of some of the aggregation properties generated previously
+
+By organizing into levels, all teams can progressively improve security posture and demonstrate compliance readiness.
+
+---
+
+## Scorecard
+
+- Scorecard requires making use of new properties on Snyk Target that are described in the next section "New Properties".
+- Scorecard was created on Repository Blueprint with all the mirrored properties from Snyk Target.
+
+
+PCI DSS Scorecard (Click to expand)
+
+```json showLineNumbers
+{
+ "identifier": "pci_dss_code_security",
+ "title": "PCI DSS Code Security",
+ "rules": [
+ {
+ "identifier": "sast_recent",
+ "level": "Bronze",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "<=",
+ "property": "sast_last_scan_days",
+ "value": 30
+ }
+ ]
+ },
+ "description": "PCI 6.3.1—continuous vulnerability identification",
+ "title": "Detected ≤ 30 days ago"
+ },
+ {
+ "identifier": "open_critical_thresh",
+ "level": "Bronze",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "=",
+ "property": "open_critical",
+ "value": 0
+ }
+ ]
+ },
+ "description": "No Critical SAST findings",
+ "title": "Open Critical Threshold"
+ },
+ {
+ "identifier": "class_no_inj_auth",
+ "level": "Silver",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "=",
+ "property": "a3_injection",
+ "value": 0
+ },
+ {
+ "operator": "=",
+ "property": "a1_access_control_flaws",
+ "value": 0
+ }
+ ]
+ },
+ "description": "Injection, AuthN AuthZ, Hardcoded secrets",
+ "title": "Class Absence - Injection, Auth"
+ },
+ {
+ "identifier": "hardcoded_secrets",
+ "level": "Silver",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "=",
+ "property": "hardcoded_secrets",
+ "value": 0
+ }
+ ]
+ },
+ "description": "No leaked/open secrets",
+ "title": "Hardcoded Secrets"
+ },
+ {
+ "identifier": "insecure_crypto",
+ "level": "Gold",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "=",
+ "property": "a2_cryptographic_failures",
+ "value": 0
+ }
+ ]
+ },
+ "description": "No insecure crypto",
+ "title": "Insecure Crypto"
+ },
+ {
+ "identifier": "asv_pass_parity",
+ "level": "Gold",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "=",
+ "property": "max_risk_score_replacing_asv",
+ "value": 400
+ }
+ ]
+ },
+ "description": "ASV pass/fail parity for public-facing assets.",
+ "title": "ASV Pass Parity"
+ },
+ {
+ "identifier": "max_risk_score",
+ "level": "Platinum",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "containsAny",
+ "property": "$team",
+ "value": [
+ "example_team"
+ ]
+ }
+ ]
+ },
+ "description": "Max Risk Score (Alternate to CVSS Scoring)",
+ "title": "Max Risk Score"
+ },
+ {
+ "identifier": "no_high_open_source",
+ "level": "Platinum",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "=",
+ "property": "open_sca_high",
+ "value": 0
+ }
+ ]
+ },
+ "description": "No High ",
+ "title": "No High Open Source"
+ },
+ {
+ "identifier": "no_high_code_issues",
+ "level": "Platinum",
+ "query": {
+ "combinator": "and",
+ "conditions": [
+ {
+ "operator": "=",
+ "property": "open_sast_high",
+ "value": 0
+ }
+ ]
+ },
+ "description": "No High Open Source",
+ "title": "No High Code Issues"
+ }
+ ],
+ "levels": [
+ {
+ "color": "paleBlue",
+ "title": "Basic"
+ },
+ {
+ "color": "bronze",
+ "title": "Bronze"
+ },
+ {
+ "color": "silver",
+ "title": "Silver"
+ },
+ {
+ "color": "gold",
+ "title": "Gold"
+ },
+ {
+ "color": "lime",
+ "title": "Platinum"
+ }
+ ]
+}
+```
+
+
+
+## New Properties
+
+New properties have been created on Snyk Target Blueprint and then shown as mirrored properties on Repository blueprint. This can be attached to a service blueprint as well or as deemed appropriate to where the
+
+
+PCI DSS Scorecard (Click to expand)
+
+```json showLineNumbers
+ "hardcoded_secrets": {
+ "title": "hardcoded_secrets",
+ "icon": "Bug",
+ "type": "number",
+ "target": "snykVulnerability",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "category",
+ "operator": "in",
+ "value": [
+ "CWE-798",
+ "CWE-259",
+ "CWE-321",
+ "CWE-547",
+ "CWE-260"
+ ]
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "count",
+ "calculationBy": "entities"
+ }
+ },
+```
+
+
+
+ASV Pass parity (Click to expand)
+```json showLineNumbers
+ "asv_pass_parity": {
+ "title": "ASV Pass Parity",
+ "icon": "Bug",
+ "type": "number",
+ "description": "Risk Scoring",
+ "target": "snykVulnerability",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "type",
+ "operator": "=",
+ "value": "package_vulnerability"
+ },
+ {
+ "property": "status",
+ "operator": "=",
+ "value": "open"
+ },
+ {
+ "property": "score",
+ "operator": ">=",
+ "value": 500
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "count",
+ "calculationBy": "entities"
+ },
+ "pathFilter": [
+ {
+ "fromBlueprint": "snykVulnerability",
+ "path": [
+ "project",
+ "snyk_target"
+ ]
+ }
+ ]
+ },
+```
+
+
+
+Maximum Risk Score aggregation(Click to expand)
+```json showLineNumbers
+ "max_risk_score": {
+ "title": "Max risk score",
+ "icon": "Bug",
+ "type": "number",
+ "description": "Alternate to ASV Pass Parity CVSS > 4",
+ "target": "snykVulnerability",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "type",
+ "operator": "=",
+ "value": "package_vulnerability"
+ },
+ {
+ "property": "status",
+ "operator": "=",
+ "value": "open"
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "max",
+ "property": "score",
+ "calculationBy": "property"
+ },
+ "pathFilter": [
+ {
+ "fromBlueprint": "snykVulnerability",
+ "path": [
+ "project",
+ "snyk_target"
+ ]
+ }
+ ]
+ },
+```
+
+
+
+
+Critical severity package vulnerabilities(Click to expand)
+```json showLineNumbers
+ "open_sca_critical": {
+ "title": "Open SCA Critical",
+ "icon": "Bug",
+ "type": "number",
+ "target": "snykVulnerability",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "type",
+ "operator": "=",
+ "value": "package_vulnerability"
+ },
+ {
+ "property": "status",
+ "operator": "=",
+ "value": "open"
+ },
+ {
+ "property": "severity",
+ "operator": "=",
+ "value": "critical"
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "count",
+ "calculationBy": "entities"
+ },
+ "pathFilter": [
+ {
+ "fromBlueprint": "snykVulnerability",
+ "path": [
+ "project",
+ "snyk_target"
+ ]
+ }
+ ]
+ },
+```
+
+
+
+High severity package vulnerabilities(Click to expand)
+ "open_sca_high": {
+ "title": "Open SCA High",
+ "icon": "Bug",
+ "type": "number",
+ "target": "snykVulnerability",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "severity",
+ "operator": "=",
+ "value": "high"
+ },
+ {
+ "property": "status",
+ "operator": "=",
+ "value": "open"
+ },
+ {
+ "property": "type",
+ "operator": "=",
+ "value": "package_vulnerability"
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "count",
+ "calculationBy": "entities"
+ },
+ "pathFilter": [
+ {
+ "fromBlueprint": "snykVulnerability",
+ "path": [
+ "project",
+ "snyk_target"
+ ]
+ }
+ ]
+ },
+```
+
+
+
+High severity code vulnerabilities(Click to expand)
+ "open_sast_high": {
+ "title": "Open SAST High",
+ "icon": "Bug",
+ "type": "number",
+ "target": "snykVulnerability",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "status",
+ "operator": "=",
+ "value": "open"
+ },
+ {
+ "property": "type",
+ "operator": "=",
+ "value": "code"
+ },
+ {
+ "property": "severity",
+ "operator": "=",
+ "value": "high"
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "count",
+ "calculationBy": "entities"
+ },
+ "pathFilter": [
+ {
+ "fromBlueprint": "snykVulnerability",
+ "path": [
+ "project",
+ "snyk_target"
+ ]
+ }
+ ]
+ }
+```
+
+
+## Scorecard Levels
+
+The scorecard uses **five maturity levels**, with each level building on the rules from the previous one.
+
+| Level | Description |
+|------------|---------------------------------------------------------------------------------------------|
+| **Basic** | Default level. Indicates that the entity is in PCI scope but has not yet met Bronze criteria. |
+| **Bronze** | Ensures regular scanning and that no critical vulnerabilities remain open. |
+| **Silver** | Enforces strong secure coding practices, eliminating injection flaws, access control issues, and secrets exposure. |
+| **Gold** | Focuses on cryptographic security and external vulnerability exposure management. |
+| **Platinum** | Represents the highest standard, requiring zero high-risk issues and strict dependency security. |
+
+> **How levels work:**
+> - To reach a higher level, **all rules in that level and all lower levels must pass**.
+> - This creates a clear maturity path from basic hygiene to advanced compliance.
+
+---
+
+## Rules by Level
+
+Below are all rules organized by the level at which they apply.
+
+---
+
+### Bronze Level
+
+#### 1. SAST Scan Recency
+- **Identifier:** `sast_recent`
+- **Goal:** Ensure regular static application security testing (SAST).
+- **Rule:** `sast_last_scan_days <= 30`
+- **Description:**
+ PCI DSS 6.3.1 requires continuous vulnerability identification.
+ This rule ensures a SAST scan has been run within the last 30 days.
+
+---
+
+#### 2. No Open Critical Issues
+- **Identifier:** `open_critical_thresh`
+- **Goal:** Prevent critical vulnerabilities from remaining unresolved.
+- **Rule:** `open_critical = 0`
+- **Description:**
+ There must be **zero open critical vulnerabilities** in the codebase.
+
+---
+
+### Silver Level
+
+#### 3. No Injection or Access Control Issues
+- **Identifier:** `class_no_inj_auth`
+- **Goal:** Eliminate high-severity vulnerabilities in input validation and access control.
+- **Rule:**
+ ```text
+ a3_injection = 0
+ a1_access_control_flaws = 0
+ ```
+
+- **Description:**
+ Addresses critical categories such as:
+
+ - Injection flaws (e.g., SQL injection, XSS)
+ - Broken authentication and authorization logic
+
+---
+
+#### 4. No Hardcoded Secrets
+
+- **Identifier:** `hardcoded_secrets`
+- **Goal:** Prevent sensitive credentials from being exposed in code.
+- **Rule:** `hardcoded_secrets = 0`
+- **Description:**
+ Detects and blocks hardcoded passwords, API keys, and other secrets.
+
+---
+
+### Gold Level
+
+#### 5. Secure Cryptography
+
+* **Identifier:** `insecure_crypto`
+* **Goal:** Ensure proper use of secure algorithms and key management practices.
+* **Rule:** `a2_cryptographic_failures = 0`
+* **Description:**
+ Detects use of weak cryptographic algorithms or incorrect implementation of crypto operations.
+
+---
+
+#### 6. ASV Parity for Public-Facing Assets
+
+* **Identifier:** `asv_pass_parity`
+* **Goal:** Align with PCI DSS **Approved Scanning Vendor (ASV)** pass/fail standards.
+* **Rule:** `max_risk_score_replacing_asv = 400`
+* **Description:**
+ Ensures public-facing services do not have vulnerabilities equivalent to CVSS ≥ 4.0.
+
+> **Key Note:**
+> CVSS data is not directly available in this system.
+> Instead, we use **Snyk Risk Score** as a proxy, with a threshold of **400** chosen to approximate the CVSS 4.0 boundary required by PCI DSS for external scans.
+
+---
+
+### Platinum Level
+
+#### 7. Max Risk Score Validation
+
+- **Identifier:** `max_risk_score`
+- **Goal:** Apply alternate or stricter risk scoring models for specific teams or services.
+- **Rule:**
+
+ ```text
+ $team containsAny ["example_team"]
+ ```
+- **Description:**
+ Allows team-specific compliance requirements to be enforced at the highest level.
+
+---
+
+#### 8. No High-Risk Open Source Vulnerabilities
+
+- **Identifier:** `no_high_open_source`
+- **Goal:** Maintain a secure open-source dependency posture.
+- **Rule:** `open_sca_high = 0`
+- **Description:**
+ Requires **zero high-severity vulnerabilities** in all open-source components.
+
+---
+
+#### 9. No High-Risk Code Issues
+
+- **Identifier:** `no_high_code_issues`
+- **Goal:** Ensure all high-risk static analysis findings are remediated.
+* **Rule:** `open_sast_high = 0`
+* **Description:**
+ There must be **no high-severity SAST issues** remaining unresolved.
+
+---
+
+## Summary of Rule Coverage
+
+| Level | PCI Focus Area | Key Rules |
+| ------------ | -------------------------------- | ------------------------------------------- |
+| **Bronze** | Scan frequency & critical issues | SAST recency, No open critical issues |
+| **Silver** | Secure coding & secrets hygiene | Injection/Auth flaws, No hardcoded secrets |
+| **Gold** | Cryptography & external exposure | Secure crypto, ASV parity |
+| **Platinum** | Zero-tolerance for high risks | No high SAST, No high SCA, Max risk scoring |
+
+---
+
+## Implementation Steps
+
+### 1. Ingest Scan Data
+
+Ensure outputs from scanning tools are mapped to Port properties:
+
+* `sast_last_scan_days`
+* `open_critical`
+* `a3_injection`
+* `a1_access_control_flaws`
+* `hardcoded_secrets`
+* `open_sca_high`
+* `open_sast_high`
+* `max_risk_score_replacing_asv`
+
+---
+
+### 2. Deploy via Port or Pulumi
+
+* **Direct JSON upload:**
+ Use the JSON configuration directly in the Port UI.
+
+* **Infrastructure-as-code approach:**
+ Convert the JSON to TypeScript and deploy using the [Port Pulumi provider](https://docs.port.io/).
+
+---
+
+### 3. Monitor Compliance Progress
+
+* View real-time compliance status directly within Port.
+* Use levels as **milestones** to measure progression toward PCI DSS compliance.
+* Generate reports for PCI DSS audits using scorecard data as automated evidence.
+
+---
+
+## Benefits of This Scorecard
+
+* **Automated Compliance Tracking**
+ Continuously validates PCI DSS compliance without manual intervention.
+
+* **Actionable Insights**
+ Highlights specific areas needing remediation at both code and dependency levels.
+
+* **Maturity Measurement**
+ Provides a clear path for teams to progress from basic hygiene to advanced compliance.
+
+* **Audit Readiness**
+ Simplifies PCI audits by providing up-to-date evidence of secure development practices.
+
+---
+
+## Compliance Flow
+
+```mermaid
+flowchart TD
+ A[Code Scan Run] --> B[Findings Ingested to Port]
+ B --> C[Scorecard Evaluation]
+ C -->|Pass| D[Advance Level: Bronze → Silver → Gold → Platinum]
+ C -->|Fail| E[Remediation Required]
+ E --> A
+```
+
+This visual shows how code scan results flow through the system, get evaluated, and determine compliance level progression.
+
+---
+
+## Key Takeaways
+
+* **Bronze → Platinum** represents progressive enforcement of PCI DSS secure coding requirements.
+* Using **Snyk Risk Score** as a proxy ensures external exposure checks align with ASV expectations even without direct CVSS data. In the future iterations, the intent will be to ingest CVSS Score detail for all `package vulnerabilities`.
+* This scorecard provides a practical, automated way to track and improve compliance continuously.
+* This scorecard can serve as a starting point.
+
From abb1ef58caf38e908b83d28c0b53f2bef18c922b Mon Sep 17 00:00:00 2001
From: uday Korlimarla <222185270+udayk-port@users.noreply.github.com>
Date: Fri, 5 Sep 2025 16:46:48 +1000
Subject: [PATCH 2/4] fix formatting issues
---
.../all/setup-pci-dss-code-compliance.md | 54 +++++++++++--------
1 file changed, 31 insertions(+), 23 deletions(-)
diff --git a/docs/guides/all/setup-pci-dss-code-compliance.md b/docs/guides/all/setup-pci-dss-code-compliance.md
index e5a4912ebd..7e4b220bbb 100644
--- a/docs/guides/all/setup-pci-dss-code-compliance.md
+++ b/docs/guides/all/setup-pci-dss-code-compliance.md
@@ -167,7 +167,7 @@ By organizing into levels, all teams can progressively improve security posture
}
]
},
- "description": "No High ",
+ "description": "No High severity open source vulnerabilities",
"title": "No High Open Source"
},
{
@@ -183,7 +183,7 @@ By organizing into levels, all teams can progressively improve security posture
}
]
},
- "description": "No High Open Source",
+ "description": "No High severity code issues",
"title": "No High Code Issues"
}
],
@@ -216,12 +216,13 @@ By organizing into levels, all teams can progressively improve security posture
## New Properties
-New properties have been created on Snyk Target Blueprint and then shown as mirrored properties on Repository blueprint. This can be attached to a service blueprint as well or as deemed appropriate to where the
+New properties have been created on Snyk Target Blueprint and then shown as mirrored properties on Repository blueprint. This can be attached to a service blueprint as well or as deemed appropriate to where the data is most relevant.
PCI DSS Scorecard (Click to expand)
```json showLineNumbers
+{
"hardcoded_secrets": {
"title": "hardcoded_secrets",
"icon": "Bug",
@@ -254,6 +255,7 @@ New properties have been created on Snyk Target Blueprint and then shown as mirr
ASV Pass parity (Click to expand)
```json showLineNumbers
+{
"asv_pass_parity": {
"title": "ASV Pass Parity",
"icon": "Bug",
@@ -300,6 +302,7 @@ New properties have been created on Snyk Target Blueprint and then shown as mirr
Maximum Risk Score aggregation(Click to expand)
```json showLineNumbers
+{
"max_risk_score": {
"title": "Max risk score",
"icon": "Bug",
@@ -343,6 +346,7 @@ New properties have been created on Snyk Target Blueprint and then shown as mirr
Critical severity package vulnerabilities(Click to expand)
```json showLineNumbers
+{
"open_sca_critical": {
"title": "Open SCA Critical",
"icon": "Bug",
@@ -387,6 +391,8 @@ New properties have been created on Snyk Target Blueprint and then shown as mirr
High severity package vulnerabilities(Click to expand)
+```json showLineNumbers
+{
"open_sca_high": {
"title": "Open SCA High",
"icon": "Bug",
@@ -431,6 +437,8 @@ New properties have been created on Snyk Target Blueprint and then shown as mirr
High severity code vulnerabilities(Click to expand)
+```json showLineNumbers
+{
"open_sast_high": {
"title": "Open SAST High",
"icon": "Bug",
@@ -551,20 +559,20 @@ Below are all rules organized by the level at which they apply.
#### 5. Secure Cryptography
-* **Identifier:** `insecure_crypto`
-* **Goal:** Ensure proper use of secure algorithms and key management practices.
-* **Rule:** `a2_cryptographic_failures = 0`
-* **Description:**
+- **Identifier:** `insecure_crypto`
+- **Goal:** Ensure proper use of secure algorithms and key management practices.
+- **Rule:** `a2_cryptographic_failures = 0`
+- **Description:**
Detects use of weak cryptographic algorithms or incorrect implementation of crypto operations.
---
#### 6. ASV Parity for Public-Facing Assets
-* **Identifier:** `asv_pass_parity`
-* **Goal:** Align with PCI DSS **Approved Scanning Vendor (ASV)** pass/fail standards.
-* **Rule:** `max_risk_score_replacing_asv = 400`
-* **Description:**
+- **Identifier:** `asv_pass_parity`
+- **Goal:** Align with PCI DSS **Approved Scanning Vendor (ASV)** pass/fail standards.
+- **Rule:** `max_risk_score_replacing_asv = 400`
+- **Description:**
Ensures public-facing services do not have vulnerabilities equivalent to CVSS ≥ 4.0.
> **Key Note:**
@@ -603,8 +611,8 @@ Below are all rules organized by the level at which they apply.
- **Identifier:** `no_high_code_issues`
- **Goal:** Ensure all high-risk static analysis findings are remediated.
-* **Rule:** `open_sast_high = 0`
-* **Description:**
+- **Rule:** `open_sast_high = 0`
+- **Description:**
There must be **no high-severity SAST issues** remaining unresolved.
---
@@ -639,10 +647,10 @@ Ensure outputs from scanning tools are mapped to Port properties:
### 2. Deploy via Port or Pulumi
-* **Direct JSON upload:**
+- **Direct JSON upload:**
Use the JSON configuration directly in the Port UI.
-* **Infrastructure-as-code approach:**
+- **Infrastructure-as-code approach:**
Convert the JSON to TypeScript and deploy using the [Port Pulumi provider](https://docs.port.io/).
---
@@ -657,16 +665,16 @@ Ensure outputs from scanning tools are mapped to Port properties:
## Benefits of This Scorecard
-* **Automated Compliance Tracking**
+- **Automated Compliance Tracking**
Continuously validates PCI DSS compliance without manual intervention.
-* **Actionable Insights**
+- **Actionable Insights**
Highlights specific areas needing remediation at both code and dependency levels.
-* **Maturity Measurement**
+- **Maturity Measurement**
Provides a clear path for teams to progress from basic hygiene to advanced compliance.
-* **Audit Readiness**
+- **Audit Readiness**
Simplifies PCI audits by providing up-to-date evidence of secure development practices.
---
@@ -688,8 +696,8 @@ This visual shows how code scan results flow through the system, get evaluated,
## Key Takeaways
-* **Bronze → Platinum** represents progressive enforcement of PCI DSS secure coding requirements.
-* Using **Snyk Risk Score** as a proxy ensures external exposure checks align with ASV expectations even without direct CVSS data. In the future iterations, the intent will be to ingest CVSS Score detail for all `package vulnerabilities`.
-* This scorecard provides a practical, automated way to track and improve compliance continuously.
-* This scorecard can serve as a starting point.
+- **Bronze → Platinum** represents progressive enforcement of PCI DSS secure coding requirements.
+- Using **Snyk Risk Score** as a proxy ensures external exposure checks align with ASV expectations even without direct CVSS data. In the future iterations, the intent will be to ingest CVSS Score detail for all `package vulnerabilities`.
+- This scorecard provides a practical, automated way to track and improve compliance continuously.
+- This scorecard can serve as a starting point.
From ad78bf3711893ceb4856e1cc1ac2c22830d8ce88 Mon Sep 17 00:00:00 2001
From: uday Korlimarla <222185270+udayk-port@users.noreply.github.com>
Date: Fri, 12 Sep 2025 19:20:42 +1000
Subject: [PATCH 3/4] formatting fix
---
.../all/setup-pci-dss-code-compliance.md | 72 +++++++++++++++++++
src/components/guides-section/consts.js | 7 ++
2 files changed, 79 insertions(+)
diff --git a/docs/guides/all/setup-pci-dss-code-compliance.md b/docs/guides/all/setup-pci-dss-code-compliance.md
index 7e4b220bbb..4580c0de8e 100644
--- a/docs/guides/all/setup-pci-dss-code-compliance.md
+++ b/docs/guides/all/setup-pci-dss-code-compliance.md
@@ -481,6 +481,78 @@ New properties have been created on Snyk Target Blueprint and then shown as mirr
```
+
+SAST Last Scan Days (Click to expand)
+```json showLineNumbers
+{
+ "sast_last_scan_days": {
+ "title": "SAST Last Scan Days",
+ "icon": "Calendar",
+ "type": "number",
+ "description": "Number of days since the last SAST scan",
+ "target": "snykTarget",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "lastScanDate",
+ "operator": "exists"
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "daysSince",
+ "property": "lastScanDate",
+ "calculationBy": "property"
+ }
+ }
+}
+```
+
+
+
+Open Critical Vulnerabilities (Click to expand)
+```json showLineNumbers
+{
+ "open_critical": {
+ "title": "Open Critical",
+ "icon": "Bug",
+ "type": "number",
+ "description": "Number of open critical severity vulnerabilities",
+ "target": "snykVulnerability",
+ "query": {
+ "combinator": "and",
+ "rules": [
+ {
+ "property": "status",
+ "operator": "=",
+ "value": "open"
+ },
+ {
+ "property": "severity",
+ "operator": "=",
+ "value": "critical"
+ }
+ ]
+ },
+ "calculationSpec": {
+ "func": "count",
+ "calculationBy": "entities"
+ },
+ "pathFilter": [
+ {
+ "fromBlueprint": "snykVulnerability",
+ "path": [
+ "project",
+ "snyk_target"
+ ]
+ }
+ ]
+ }
+}
+```
+
+
## Scorecard Levels
The scorecard uses **five maturity levels**, with each level building on the rules from the previous one.
diff --git a/src/components/guides-section/consts.js b/src/components/guides-section/consts.js
index 1b02e961e1..b4de6c6b4c 100644
--- a/src/components/guides-section/consts.js
+++ b/src/components/guides-section/consts.js
@@ -1448,6 +1448,13 @@ export const availableGuides = [
logos: ["Snyk"],
link: "/guides/all/owasp-top-10-scorecard",
},
+ {
+ title: "PCI DSS code security scorecard",
+ description: "Continuously track compliance with PCI DSS requirements using code scans and vulnerability data",
+ tags: ["Security", "Scorecards", "Snyk", "PCI DSS"],
+ logos: ["Snyk"],
+ link: "/guides/all/setup-pci-dss-code-compliance",
+ },
{
title: "Enforce AI coding security standards",
description: "Learn how to enforce AI coding security standards in your organization",
From ba8cc3b027a07ef3735e374074bb86fc5c50e96c Mon Sep 17 00:00:00 2001
From: uday Korlimarla <222185270+udayk-port@users.noreply.github.com>
Date: Fri, 12 Sep 2025 19:29:24 +1000
Subject: [PATCH 4/4] more formatting and better organised information
---
.../all/setup-pci-dss-code-compliance.md | 98 ++++++++++---------
1 file changed, 53 insertions(+), 45 deletions(-)
diff --git a/docs/guides/all/setup-pci-dss-code-compliance.md b/docs/guides/all/setup-pci-dss-code-compliance.md
index 4580c0de8e..15edf3ac90 100644
--- a/docs/guides/all/setup-pci-dss-code-compliance.md
+++ b/docs/guides/all/setup-pci-dss-code-compliance.md
@@ -1,26 +1,26 @@
---
displayed_sidebar: null
-description: PCI DSS Code security scorecard
+description: Build a comprehensive PCI DSS Code Security Scorecard in Port to continuously track compliance with PCI DSS requirements using vulnerability data from Snyk. This scorecard includes 5-level maturity model from Basic to Platinum.
---
# PCI DSS Code Security Scorecard
-The **PCI DSS Code Security Scorecard** is designed to continuously track compliance with PCI DSS requirements by leveraging code scans and vulnerability data.
-It helps teams enforce secure coding practices, identify weaknesses early, and measure progress towards PCI compliance maturity.
+The **PCI DSS Code Security Scorecard** is designed to continuously track compliance with PCI DSS requirements by leveraging static application security testing (SAST) and software composition analysis (SCA) data from Snyk.
+It helps development teams enforce secure coding practices, identify security weaknesses early in the development lifecycle, and measure progress towards PCI DSS compliance maturity.
-This scorecard evaluates repositories and services based on:
-- Scan recency
-- Severity of open vulnerabilities
-- Cryptographic hygiene
-- Exposure of public-facing assets
-- Secure dependency management
+This comprehensive security scorecard evaluates repositories and services based on:
+- **Scan recency** - Ensures regular vulnerability scanning (PCI DSS 6.3.1)
+- **Severity of open vulnerabilities** - Tracks critical and high-severity issues
+- **Cryptographic hygiene** - Validates secure crypto implementation (PCI DSS 6.5.3)
+- **Exposure of public-facing assets** - ASV compliance for external scans (PCI DSS 11.2.2)
+- **Secure dependency management** - Monitors open-source component security
# Dependencies
- Depends on [OWASP Top 10 Scorecard](/guides/all/owasp-top-10-scorecard) to make use of some of the aggregation properties generated previously
By organizing into levels, all teams can progressively improve security posture and demonstrate compliance readiness.
----
+
## Scorecard
@@ -127,7 +127,7 @@ By organizing into levels, all teams can progressively improve security posture
"combinator": "and",
"conditions": [
{
- "operator": "=",
+ "operator": "<",
"property": "max_risk_score_replacing_asv",
"value": 400
}
@@ -565,17 +565,17 @@ The scorecard uses **five maturity levels**, with each level building on the rul
| **Gold** | Focuses on cryptographic security and external vulnerability exposure management. |
| **Platinum** | Represents the highest standard, requiring zero high-risk issues and strict dependency security. |
-> **How levels work:**
-> - To reach a higher level, **all rules in that level and all lower levels must pass**.
-> - This creates a clear maturity path from basic hygiene to advanced compliance.
+#### **How levels work:**
+ - To reach a higher level, **all rules in that level and all lower levels must pass**.
+ - This creates a clear maturity path from basic hygiene to advanced compliance.
+
----
## Rules by Level
Below are all rules organized by the level at which they apply.
----
+
### Bronze Level
@@ -587,7 +587,7 @@ Below are all rules organized by the level at which they apply.
PCI DSS 6.3.1 requires continuous vulnerability identification.
This rule ensures a SAST scan has been run within the last 30 days.
----
+
#### 2. No Open Critical Issues
- **Identifier:** `open_critical_thresh`
@@ -596,7 +596,7 @@ Below are all rules organized by the level at which they apply.
- **Description:**
There must be **zero open critical vulnerabilities** in the codebase.
----
+
### Silver Level
@@ -615,7 +615,7 @@ Below are all rules organized by the level at which they apply.
- Injection flaws (e.g., SQL injection, XSS)
- Broken authentication and authorization logic
----
+
#### 4. No Hardcoded Secrets
@@ -625,7 +625,7 @@ Below are all rules organized by the level at which they apply.
- **Description:**
Detects and blocks hardcoded passwords, API keys, and other secrets.
----
+
### Gold Level
@@ -637,21 +637,21 @@ Below are all rules organized by the level at which they apply.
- **Description:**
Detects use of weak cryptographic algorithms or incorrect implementation of crypto operations.
----
+
#### 6. ASV Parity for Public-Facing Assets
- **Identifier:** `asv_pass_parity`
- **Goal:** Align with PCI DSS **Approved Scanning Vendor (ASV)** pass/fail standards.
-- **Rule:** `max_risk_score_replacing_asv = 400`
+- **Rule:** `max_risk_score_replacing_asv < 400`
- **Description:**
Ensures public-facing services do not have vulnerabilities equivalent to CVSS ≥ 4.0.
-> **Key Note:**
-> CVSS data is not directly available in this system.
-> Instead, we use **Snyk Risk Score** as a proxy, with a threshold of **400** chosen to approximate the CVSS 4.0 boundary required by PCI DSS for external scans.
+#### **Key Note:**
+- CVSS data is not directly available in this system.
+- Instead, we use **Snyk Risk Score** as a proxy, with a threshold of **400** chosen to approximate the CVSS 4.0 boundary required by PCI DSS for external scans.
+
----
### Platinum Level
@@ -666,8 +666,11 @@ Below are all rules organized by the level at which they apply.
```
- **Description:**
Allows team-specific compliance requirements to be enforced at the highest level.
+
+:::tip **Note:** Replace `"example_team"` with your actual team name or remove this rule if not needed.
+:::
+
----
#### 8. No High-Risk Open Source Vulnerabilities
@@ -677,7 +680,7 @@ Below are all rules organized by the level at which they apply.
- **Description:**
Requires **zero high-severity vulnerabilities** in all open-source components.
----
+
#### 9. No High-Risk Code Issues
@@ -687,7 +690,23 @@ Below are all rules organized by the level at which they apply.
- **Description:**
There must be **no high-severity SAST issues** remaining unresolved.
----
+
+
+## PCI DSS Requirements Alignment
+
+This scorecard addresses key PCI DSS requirements for secure development:
+
+| PCI DSS Requirement | Scorecard Rule | Level | Description |
+|-------------------|----------------|-------|-------------|
+| **6.3.1** - Continuous vulnerability identification | `sast_recent` | Bronze | Ensures SAST scans run within 30 days |
+| **6.5.1** - Injection flaws | `a3_injection = 0` | Silver | Prevents SQL injection, XSS, etc. |
+| **6.5.2** - Broken authentication | `a1_access_control_flaws = 0` | Silver | Addresses authentication/authorization issues |
+| **6.5.3** - Cryptographic failures | `a2_cryptographic_failures = 0` | Gold | Ensures secure crypto implementation |
+| **6.5.4** - Insecure communications | `hardcoded_secrets = 0` | Silver | Prevents credential exposure |
+| **11.2.2** - External vulnerability scans | `asv_pass_parity` | Gold | ASV compliance for public-facing assets |
+| **6.2** - Secure development practices | All levels | Bronze+ | Comprehensive secure coding standards |
+
+**Note:** This scorecard focuses on **code security** aspects of PCI DSS. Additional requirements for network security, access controls, and data protection should be implemented separately.
## Summary of Rule Coverage
@@ -698,7 +717,7 @@ Below are all rules organized by the level at which they apply.
| **Gold** | Cryptography & external exposure | Secure crypto, ASV parity |
| **Platinum** | Zero-tolerance for high risks | No high SAST, No high SCA, Max risk scoring |
----
+
## Implementation Steps
@@ -715,7 +734,7 @@ Ensure outputs from scanning tools are mapped to Port properties:
* `open_sast_high`
* `max_risk_score_replacing_asv`
----
+
### 2. Deploy via Port or Pulumi
@@ -725,7 +744,7 @@ Ensure outputs from scanning tools are mapped to Port properties:
- **Infrastructure-as-code approach:**
Convert the JSON to TypeScript and deploy using the [Port Pulumi provider](https://docs.port.io/).
----
+
### 3. Monitor Compliance Progress
@@ -733,7 +752,7 @@ Ensure outputs from scanning tools are mapped to Port properties:
* Use levels as **milestones** to measure progression toward PCI DSS compliance.
* Generate reports for PCI DSS audits using scorecard data as automated evidence.
----
+
## Benefits of This Scorecard
@@ -749,22 +768,11 @@ Ensure outputs from scanning tools are mapped to Port properties:
- **Audit Readiness**
Simplifies PCI audits by providing up-to-date evidence of secure development practices.
----
-
-## Compliance Flow
-```mermaid
-flowchart TD
- A[Code Scan Run] --> B[Findings Ingested to Port]
- B --> C[Scorecard Evaluation]
- C -->|Pass| D[Advance Level: Bronze → Silver → Gold → Platinum]
- C -->|Fail| E[Remediation Required]
- E --> A
-```
This visual shows how code scan results flow through the system, get evaluated, and determine compliance level progression.
----
+
## Key Takeaways