← Dashboard

Security Posture — GRC Executive Summary

Project: openclaw | May 29, 2026 | Engine: AEGIS v3.5.3 | 4180K lines of code across 16991 files

1. Security Posture At-a-Glance

0
Critical
0
High
41
Medium
9
Low
50
Total Findings

2. Compliance Framework Readiness

Readiness is evaluated using policy-driven heuristics based on each framework's risk tolerance. Thresholds reflect common audit expectations for critical and high-severity findings (including hardcoded secrets), not framework-mandated limits. Infrastructure compensating controls are factored into severity.

FedRAMP High
FAIL
FedRAMP Moderate
FAIL
PCI-DSS v4.0
FAIL
CMMC Level 2
FAIL
HIPAA
FAIL
SOC2 Type II
FAIL
ISO 27001
FAIL
DORA
FAIL
NIST CSF 2.0
FAIL
39 hardcoded secrets (0 critical, 39 high) counted toward compliance thresholds. Secrets are treated as findings because every major framework prohibits credentials in source code.

3. Finding Categories & Compensating Controls

Each finding category is listed with its count, severity (after infrastructure context adjustment), and the compensating controls in place.

CWENameCountSeverityCompensating Controls / Notes
CWE-396Declaration of Catch for Generic Exception38mediumAPI Gateway auth boundary detected.
CWE-918Server-Side Request Forgery7mediumArgument from admin-configured source. Internal service — not directly internet-facing. Internal service — not directly internet-facing.; API Gateway auth boundary detected. W4: finding in adapter/factory module — likely config-driven data flow.; API Gateway auth boundary detected.
CWE-1004Sensitive Cookie Without HttpOnly Flag1mediumAPI Gateway auth boundary detected.
CWE-400Uncontrolled Resource Consumption3lowAPI Gateway auth boundary detected.
CWE-22Path Traversal1lowArgument from admin-configured source. Internal service — not directly internet-facing. W4: finding in adapter/factory module — likely config-driven data flow.; API Gateway auth boundary detected.

4. Infrastructure Security Context

AEGIS automatically discovers infrastructure components and uses them to contextualize findings. The following compensating controls were detected and applied to severity ratings.

No infrastructure context was detected for this scan.

5. Sensitive Data Governance

39
Secrets Detected
25
Log Audit Findings (Mitigated)
39 secrets detected (0 critical, 39 high). Move secrets to environment variables or a secrets manager. Never commit credentials to source control.
25 log output findings detected. The PII-in-logs detector flagged identifiers in log statements that may include personal or sensitive data. Review log output to ensure sensitive data is masked or routed to access-controlled log infrastructure with appropriate retention policies.

6. Methodology

This assessment was performed using AEGIS, a governed Cyber Reasoning System developed by Equilateral AI. The analysis pipeline includes:

  • Static Analysis — AST-based parsing via tree-sitter for 14 languages, detecting 114 CWE patterns with CVSS 3.1 scoring.
  • Taint Analysis — Inter-procedural data flow tracking with 117 taint sources and 172 sinks, including RBAC-aware trust classification.
  • Infrastructure Discovery — Automatic detection of databases, auth boundaries, gateways, APM, containers, and cloud providers from IaC and configuration files.
  • Compensating Control Analysis — Infrastructure context is applied to adjust finding severity when architectural controls mitigate the risk (e.g., managed databases with VPC isolation reduce TLS cert verification findings).
  • Secret Detection — 29 patterns for API keys, tokens, and credentials with entropy analysis.
  • Compliance Mapping — Findings are mapped to 12 compliance frameworks (NIST 800-53, ISO 27001, SOC2, PCI-DSS, HIPAA, OWASP, EU AI Act, DORA, CMMC, FedRAMP, DoD SRG, SEC/FINRA).