Documentation
¶
Overview ¶
Package frameworks loads compliance framework definitions from embedded YAML files and exposes them for the reporters and the `checks list` / `checks show` commands.
Each framework file lives under internal/frameworks/<id>.yaml and is baked into the binary via go:embed -- compliancekit stays operable air-gapped per ARCHITECTURE.md §13.
As of v1.0 the catalog *types* (Framework, Control, Tactic, ResolvedControl) live in pkg/compliancekit and are part of the SemVer-stable surface; this package keeps the YAML loader, the merged-with-runtime registry, and the bundled embed.FS but does not own the type shapes.
Index ¶
- Constants
- Variables
- func All() (map[string]*Framework, error)
- func LoadAll() (map[string]*Framework, error)
- func Register(fw *Framework) error
- func RegisteredRuntime() []string
- func Unregister(id string) bool
- type Control
- type Framework
- type ResolvedControl
- type Tactic
- type Tailoring
- type TailoringRule
Constants ¶
const ( CategoryCompliance = compliancekit.CategoryCompliance CategoryThreatModel = compliancekit.CategoryThreatModel )
CategoryCompliance / CategoryThreatModel re-export the v1.0 public constants so existing internal callers don't have to swap imports during the migration window.
Variables ¶
var ErrFrameworkInvalid = fmt.Errorf("framework is nil or has empty ID")
ErrFrameworkInvalid is returned by Register when its argument is nil or has empty ID. Treat as a programmer error.
Functions ¶
func All ¶
All returns the loaded framework set, parsing the embedded YAML on first call and caching for subsequent calls, then merging any runtime-registered frameworks (see Register). Runtime entries take precedence over embedded entries with the same ID so operators can override a built-in catalog by providing their own via OSCAL-Catalog ingest at scan time. The map keys are framework IDs ("soc2", "cis-v8", "custom-internal"); values are owned by the cache and must not be mutated by callers.
func LoadAll ¶
LoadAll reads every embedded framework YAML and returns a map keyed by framework ID. Called once per process via the cached helpers below.
func Register ¶ added in v0.13.0
Register installs a framework into the runtime registry. v0.13+ uses this to bind frameworks loaded from external OSCAL Catalogs at scan time, so a customer's bespoke FedRAMP-style framework becomes scannable without writing a new embedded YAML.
Registering a framework whose ID matches an embedded one is allowed and intentional: the operator's runtime version takes precedence, which is how OSCAL Catalog ingest can shadow the bundled NIST 800-53 catalog with a customer-tailored variant.
Returns ErrFrameworkInvalid if fw is nil or has empty ID; in that case the registry is unchanged.
func RegisteredRuntime ¶ added in v0.13.0
func RegisteredRuntime() []string
RegisteredRuntime returns the IDs of frameworks added via Register. Sorted. Useful for the doctor command and for tests that need to isolate registry state. Excludes embedded frameworks.
func Unregister ¶ added in v0.13.0
Unregister removes a runtime-registered framework. Returns true if the entry existed. Embedded frameworks cannot be removed via this path — only runtime entries; the embedded set is always available to Get/All as the fallback layer.
Types ¶
type Control ¶
type Control = compliancekit.Control
Framework, Tactic, Control, and ResolvedControl alias the v1.0 public catalog types. YAML loading + the runtime registry keep operating against the aliased shapes; embedders building their own catalog import pkg/compliancekit directly.
type Framework ¶
type Framework = compliancekit.Framework
Framework, Tactic, Control, and ResolvedControl alias the v1.0 public catalog types. YAML loading + the runtime registry keep operating against the aliased shapes; embedders building their own catalog import pkg/compliancekit directly.
type ResolvedControl ¶
type ResolvedControl = compliancekit.ResolvedControl
Framework, Tactic, Control, and ResolvedControl alias the v1.0 public catalog types. YAML loading + the runtime registry keep operating against the aliased shapes; embedders building their own catalog import pkg/compliancekit directly.
func ResolveCheckControls ¶
func ResolveCheckControls(checkFrameworks map[string][]string) []ResolvedControl
ResolveCheckControls walks a check's Frameworks map and returns every (framework, control) pair it claims. Unknown framework IDs and unknown control IDs are silently skipped so a check referencing a framework not yet bundled in the binary still produces partial resolution rather than an error.
type Tactic ¶ added in v0.12.0
type Tactic = compliancekit.Tactic
Framework, Tactic, Control, and ResolvedControl alias the v1.0 public catalog types. YAML loading + the runtime registry keep operating against the aliased shapes; embedders building their own catalog import pkg/compliancekit directly.
type Tailoring ¶ added in v0.12.0
type Tailoring struct {
Rules []TailoringRule
}
Tailoring is the loaded set of operator-declared scope-outs. v0.12 surfaces it through the evidence pack (tailoring.json + a column in control-mapping.csv) and the HTML reporter (visible "scoped out" chip on the control).
func NewTailoring ¶ added in v0.12.0
func NewTailoring(rules []TailoringRule) (*Tailoring, error)
NewTailoring builds a Tailoring from a config rule list, validating non-empty fields. Cross-validation against the loaded framework catalog (does the framework exist? does the control exist within it?) happens lazily via Validate so callers can construct a Tailoring before LoadAll has run.
func (*Tailoring) Count ¶ added in v0.12.0
Count returns the number of rules. Convenience for evidence-pack header text ("3 controls tailored out").
func (*Tailoring) IsTailored ¶ added in v0.12.0
IsTailored is the boolean variant of Lookup.
type TailoringRule ¶ added in v0.12.0
type TailoringRule struct {
// Framework is the framework ID the rule applies to (e.g. "soc2",
// "pci-dss-v4"). Matched case-sensitively against framework.ID.
Framework string `mapstructure:"framework" yaml:"framework"`
// Control is the control ID within the framework (e.g. "CC1.4",
// "10.6.1"). Matched against the control map key.
Control string `mapstructure:"control" yaml:"control"`
// Justification is the operator's written reason for scoping the
// control out. v0.12 requires a non-empty justification — an
// auditor who reads the evidence pack should understand the
// decision without back-channeling the operator.
Justification string `mapstructure:"justification" yaml:"justification"`
}
TailoringRule records that an operator has consciously scoped a specific control out of their audit. v0.12 introduces tailoring so honest mappings stay honest — an inventory check that maps to PCI- DSS 10.6.1 still ships that mapping, and the operator declares "out of scope, no PAN data here" via a tailoring rule. The evidence pack carries the justification alongside the finding so auditors see the omission with its reason.
Source Files