NIS2 & SecNumCloud Compliance¶
Document type: Compliance evidence
Applicable regulations: NIS2 Directive (EU) 2022/2555 Β· ANSSI SecNumCloud
Repod version: 1.x
Date: 2026-05-12
NIS2 Overview¶
The NIS2 Directive (Network and Information Security, version 2) entered into force across EU member states on 18 October 2024. Article 21 requires "essential" and "important" entities to implement technical and organisational measures proportionate to the risk, covering at minimum:
- Risk analysis and information system security policies
- Incident handling
- Business continuity
- Supply chain security β directly addressed by Repod
- Security in network and information systems acquisition
- Policies on cryptography
- Access control
- Vulnerability management
Repod addresses the supply chain security and vulnerability management requirements that apply to organisations distributing or consuming Debian packages internally.
Article 21 Compliance Matrix¶
Supply chain security¶
| Requirement | Status | How Repod addresses it |
|---|---|---|
| Verify integrity of software before deployment | β | SHA-256 provenance check against upstream Packages.gz index on every upload |
| Scan for known vulnerabilities before deployment | β | Grype CVE scan (NVD, GitHub Advisory, CISA KEV databases) on every upload |
| Block or review packages with critical vulnerabilities | β | Configurable policy: block (quarantine) or review (CISO queue) per severity |
| Maintain a software inventory | β | SBOM in CycloneDX 1.5 and SPDX 2.3 per package and per repository |
| Trace who introduced which software component | β | Immutable audit trail: every upload logged with user, role, timestamp, source IP |
| GPG signing of distributed packages | β | Integrated GPG signing; clients verify signatures via apt |
| Antivirus scanning of software artifacts | β | ClamAV scan with daily signature updates on every upload |
Access control¶
| Requirement | Status | How Repod addresses it |
|---|---|---|
| Role-based access control | β | 5 roles: reader, uploader, maintainer, auditor, admin |
| Least privilege principle | β | CI/CD systems get uploader only; CISO gets auditor; no over-provisioning |
| Separation of duties (CVE approval) | β | Only admin can approve CVE-flagged packages; uploader cannot |
| Multi-factor authentication | β | MFA not implemented in v1 β mitigate with LDAP + your IdP's MFA |
| Enterprise directory integration | β | LDAP / Active Directory with group-to-role mapping |
| API token management | β | Short-lived tokens with role scoping; revocable immediately |
| Account disabling | β | is_active flag checked on every request; disabling blocks existing sessions |
Logging and monitoring¶
| Requirement | Status | How Repod addresses it |
|---|---|---|
| Log all privileged actions | β | 18 event types including all user management, config changes, CVE decisions |
| Log authentication events (success + failure) | β | LOGIN_SUCCESS and LOGIN_FAILURE with source IP |
| Tamper-evident logs | β | Append-only JSONL files; no API to modify or delete log entries |
| Configurable retention | β | retention_days setting; default 90 days |
| SIEM-compatible export | β | JSONL format; GET /artifacts/audit/logs API endpoint |
Cryptography¶
| Requirement | Status | How Repod addresses it |
|---|---|---|
| Encrypted credentials at rest | β | Passwords hashed with bcrypt (passlib); never stored in plaintext |
| Encrypted tokens | β | Reset tokens and API tokens stored as SHA-256 hashes only |
| Signed repository | β | GPG-signed Release files; clients verify with apt |
| Encrypted communications | Delegated | TLS terminated at reverse proxy (see Reverse Proxy guide) |
Vulnerability management¶
| Requirement | Status | How Repod addresses it |
|---|---|---|
| Identify vulnerabilities in deployed software | β | Grype scans every incoming package; results stored per-package |
| Prioritise remediation | β | EPSS probability score + CISA KEV flag per CVE for risk-based prioritisation |
| SLA for vulnerability decisions | β | Configurable SLA per severity (default: Critical=0d, High=30d, Medium=90d) |
| Document vulnerability decisions | β | Mandatory justification text on approve/reject; permanently logged |
ANSSI SecNumCloud Mapping¶
| SecNumCloud requirement | Status | Evidence |
|---|---|---|
| Software inventory (SBOM) | β | CycloneDX 1.5 Β· SPDX 2.3 per package; export API available |
| Audit trail | β | Append-only JSONL; 18 event types; configurable retention |
| Access control | β | RBAC 5 roles; LDAP integration; API tokens |
| Environment separation | β | Docker containers with isolated networks; no Docker socket in production |
| Encryption in transit | Delegated | Reverse proxy (Nginx / Traefik / Caddy) handles TLS |
| Encryption at rest | β | Volume /repos not encrypted by default β implement at OS/infrastructure level (dm-crypt, LUKS, encrypted EBS) |
| Key management | Partial | GPG integrated; JWT secret validated at startup; HSM not supported |
| Vulnerability management | β | Grype + CISO review queue + EPSS + CISA KEV |
Evidence Package for Auditors¶
The following artefacts can be collected and attached to an audit dossier:
1 β Software Bill of Materials¶
# Full repository SBOM (CycloneDX)
curl -s -H "Authorization: Bearer $TOKEN" \
"http://REPO_HOST:8000/sbom/export?format=cyclonedx&distribution=jammy" \
-o sbom-jammy-$(date +%Y%m%d).cdx.json
# Full repository SBOM (SPDX)
curl -s -H "Authorization: Bearer $TOKEN" \
"http://REPO_HOST:8000/sbom/export?format=spdx&distribution=jammy" \
-o sbom-jammy-$(date +%Y%m%d).spdx.json
2 β Audit log export¶
# Export audit logs for a date range
curl -s -H "Authorization: Bearer $TOKEN" \
"http://REPO_HOST:8000/artifacts/audit/logs" \
-o audit-$(date +%Y%m%d).jsonl
3 β Vulnerability posture report¶
# All CVEs across all packages
curl -s -H "Authorization: Bearer $TOKEN" \
"http://REPO_HOST:8000/security/vulnerabilities" \
-o cve-posture-$(date +%Y%m%d).json
# Packages awaiting CISO review
curl -s -H "Authorization: Bearer $TOKEN" \
"http://REPO_HOST:8000/security/review-queue" \
-o pending-review-$(date +%Y%m%d).json
4 β Configuration snapshot¶
# Settings (secrets masked automatically)
curl -s -H "Authorization: Bearer $TOKEN" \
"http://REPO_HOST:8000/settings/" \
-o settings-$(date +%Y%m%d).json
Limitations and Residual Risks¶
The following limitations are known and should be documented in your risk treatment plan:
| Limitation | Residual risk | Recommended mitigation |
|---|---|---|
| No MFA in Repod v1 | Medium β credential theft could lead to unauthorised uploads | Enable MFA at IdP level (LDAP + Azure AD / Okta MFA) |
| JWT not revocable before expiry (60 min TTL) | Low β short window; account disabling is checked per request | Monitor for anomalous activity during the 60-min window |
Volume /repos not encrypted by default |
Medium (if physical access to storage is a threat) | Use LUKS, dm-crypt, or encrypted cloud volumes |
| TLS terminated at reverse proxy | Low β internal traffic is within the same host/network | Use mutual TLS for internal services if threat model requires it |
| Single-node deployment | Medium for availability | Implement external backups + documented recovery procedure |
unsafe-inline in CSP |
Low β internal UI, no user-generated content in scripts | Planned remediation in v3 with nonce-based CSP |
Responsible Disclosure¶
To report a security vulnerability in Repod:
- Email: security@[your-organisation]
- PGP: [your PGP key fingerprint]
- Response SLA: acknowledgement within 72 hours, fix within 30 days for Critical/High
Do not report vulnerabilities through public issue trackers.
Generated for Repod v1.x β 2026-05-12
For the full security dossier including RBAC matrix and infrastructure hardening details, see Security dossier (CISO).