behavioral

package
v1.0.0-alpha.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var Plans = map[string][]gemara.AssessmentStep{

	"CT.COMPLYCTL.CTRL01.AR01": {
		WriteConfig,
		SyncPolicy,
		SignatureVerified,
	},

	"CT.COMPLYCTL.CTRL02.AR01": {
		WriteConfig,
		SyncPolicy,
		DigestRecordedInState,
	},
	"CT.COMPLYCTL.CTRL02.AR02": {
		WriteConfig,
		SyncPolicy,
		OCILayoutExists,
	},

	"CT.COMPLYCTL.CTRL03.AR01": {
		UnsetEnvVarFails,
	},
	"CT.COMPLYCTL.CTRL03.AR02": {
		EnvVarResolution,
	},

	"CT.COMPLYCTL.CTRL04.AR01": {
		WriteConfig,
		InstallTestPlugin,
		SyncPolicy,
		MatchedEvaluatorRouting,
	},
	"CT.COMPLYCTL.CTRL04.AR02": {
		WriteConfig,
		InstallTestPlugin,
		SyncPolicy,
		EvaluatorMismatchRejected,
	},

	"CT.COMPLYCTL.CTRL05.AR01": {
		HTTPSchemeRejected,
	},
	"CT.COMPLYCTL.CTRL05.AR02": {
		HTTPSSchemeNoPlainHTTP,
	},

	"CT.COMPLYCTL.CTRL07.AR01": {
		WriteConfig,
		InstallTestPlugin,
		SyncPolicy,
		PluginBinaryIntegrityCheck,
	},

	"CT.COMPLYCTL.CTRL08.AR01": {
		WriteConfig,
		InstallTestPlugin,
		PluginSubprocessIsolation,
	},

	"CT.COMPLYCTL.CTRL09.AR01": {
		LogCredentialRedaction,
	},

	"CT.COMPLYCTL.CTRL06.AR01": {
		WriteConfig,
		InstallTestPlugin,
		SyncPolicy,
		EvaluationLogProduced,
	},
	"CT.COMPLYCTL.CTRL06.AR02": {
		WriteConfig,
		InstallTestPlugin,
		SyncPolicy,
		OSCALResultProduced,
	},
}

Plans maps each assessment requirement ID to its ordered step sequence. Reusable precondition steps (WriteConfig, SyncPolicy, InstallTestPlugin) prepare the shared BehavioralContext before the family-specific evaluator.

Functions

func BuildEnv 

func BuildEnv(homeDir string) []string

BuildEnv creates an isolated environment with a custom HOME directory.

func ControlForRequirement 

func ControlForRequirement(requirementID string) string

ControlForRequirement extracts the parent control ID from a requirement ID. "CT.COMPLYCTL.CTRL01.AR01" -> "CT.COMPLYCTL.CTRL01"

func DigestRecordedInState 

func DigestRecordedInState(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

DigestRecordedInState checks state.json for a sha256 manifest digest recorded for the policy after a successful get (CTRL02.AR01).

func EnvVarResolution 

func EnvVarResolution(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

EnvVarResolution verifies ${VAR} references resolve from the process environment at config load time (CTRL03.AR02).

func EvaluationLogProduced 

func EvaluationLogProduced(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

EvaluationLogProduced verifies that scan produces a Gemara evaluation log YAML file in the .complytime/scan output directory (CTRL06.AR01).

func EvaluatorMismatchRejected 

func EvaluatorMismatchRejected(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

EvaluatorMismatchRejected renames the installed test plugin so the evaluator ID no longer matches, then verifies generate fails (CTRL04.AR02).

func HTTPSSchemeNoPlainHTTP 

func HTTPSSchemeNoPlainHTTP(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

HTTPSSchemeNoPlainHTTP verifies that an https:// registry URL does not enable plainHTTP on the OCI client (CTRL05.AR02).

func HTTPSchemeRejected 

func HTTPSchemeRejected(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

HTTPSchemeRejected verifies the CLI rejects registry URLs with http:// scheme and requires https:// or localhost (CTRL05.AR01).

func InstallTestPlugin 

func InstallTestPlugin(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

InstallTestPlugin copies the test plugin binary into the plugin directory.

func LogCredentialRedaction 

func LogCredentialRedaction(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

LogCredentialRedaction verifies the log file does not contain plaintext values of target variables resolved from environment references (CTRL09.AR01).

func MatchedEvaluatorRouting 

func MatchedEvaluatorRouting(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

MatchedEvaluatorRouting verifies generate routes to the matched plugin when the policy graph specifies an evaluator ID (CTRL04.AR01).

func OCILayoutExists 

func OCILayoutExists(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

OCILayoutExists checks the OCI layout directory for the oci-layout marker file (CTRL02.AR02).

func OSCALResultProduced 

func OSCALResultProduced(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

OSCALResultProduced verifies that scan with --format oscal produces an OSCAL assessment result JSON file (CTRL06.AR02).

func PluginBinaryIntegrityCheck 

func PluginBinaryIntegrityCheck(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

PluginBinaryIntegrityCheck tests whether the plugin discovery process verifies binary integrity before launching a subprocess (CTRL07.AR01). NOT IMPLEMENTED: discovery matches only on filename prefix and executable bit. This test documents the gap and is expected to fail.

func PluginSubprocessIsolation 

func PluginSubprocessIsolation(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

PluginSubprocessIsolation tests whether plugin subprocesses run with restricted privileges (CTRL08.AR01). NOT IMPLEMENTED: plugins run with same OS privileges as parent process. This test documents the gap and is expected to fail.

func SignatureVerified 

func SignatureVerified(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

SignatureVerified checks that the get operation verified a cryptographic signature on the fetched policy manifest before caching (CTRL01.AR01). This test is expected to fail until signature validation is implemented. See R20 in specs/001-gemara-native-workflow/research.md for the deferral rationale and threat model.

func StartMockRegistry 

func StartMockRegistry() *httptest.Server

StartMockRegistry creates an in-process mock OCI registry implementing the OCI Distribution Spec v2 endpoints with preseeded policy artifacts.

func SyncPolicy 

func SyncPolicy(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

SyncPolicy runs `complyctl get` to pull the policy from the registry.

func UnsetEnvVarFails 

func UnsetEnvVarFails(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

UnsetEnvVarFails verifies config loading fails with a descriptive error when a referenced environment variable is not set (CTRL03.AR01).

func WriteConfig 

func WriteConfig(payload any) (gemara.Result, string, gemara.ConfidenceLevel)

WriteConfig writes a standard complytime.yaml to the context's WorkDir.

Types

type BehavioralContext 

type BehavioralContext struct {
	Binary           string
	TestPluginBinary string
	HomeDir          string
	WorkDir          string
	Env              []string
	PolicyID         string
	RegistryURL      string
}

BehavioralContext carries the runtime environment needed by behavioral assessment steps. Each step receives this as its payload via the gemara.AssessmentStep interface.

func (*BehavioralContext) RunBinary 

func (c *BehavioralContext) RunBinary(args ...string) (string, error)

RunBinary executes the complyctl binary with the given args in the context's working directory and returns combined output.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.