evaluation_plans

package
v0.23.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 14, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// OSPS contains assessment step implementations for OSPS Baseline controls.
	// Each catalog YAML defines which IDs are active for that version,
	// so the SDK only runs the relevant subset.
	OSPS = map[string][]gemara.AssessmentStep{
		"OSPS-AC-01.01": {
			reusable_steps.GithubBuiltIn,
		},
		"OSPS-AC-02.01": {
			reusable_steps.GithubBuiltIn,
		},
		"OSPS-AC-03.01": {
			access_control.BranchProtectionRestrictsPushes,
		},
		"OSPS-AC-03.02": {
			access_control.BranchProtectionPreventsDeletion,
		},
		"OSPS-AC-04.01": {
			access_control.WorkflowDefaultReadPermissions,
		},
		"OSPS-AC-04.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-BR-01.01": {
			build_release.CicdSanitizedInputParameters,
		},
		"OSPS-BR-01.02": {
			build_release.CicdBranchNameSanitized,
		},
		"OSPS-BR-02.01": {
			reusable_steps.HasMadeReleases,
			build_release.ReleaseHasUniqueIdentifier,
		},
		"OSPS-BR-02.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-BR-03.01": {
			reusable_steps.HasSecurityInsightsFile,
			build_release.EnsureInsightsLinksUseHTTPS,
		},
		"OSPS-BR-03.02": {
			build_release.DistributionPointsUseHTTPS,
		},
		"OSPS-BR-04.01": {
			reusable_steps.HasMadeReleases,
			build_release.EnsureLatestReleaseHasChangelog,
		},
		"OSPS-BR-05.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-BR-06.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			build_release.InsightsHasSlsaAttestation,
		},
		"OSPS-BR-07.01": {
			build_release.SecretScanningInUse,
		},
		"OSPS-BR-07.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-DO-01.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasUserGuides,
		},
		"OSPS-DO-02.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasIssuesOrDiscussionsEnabled,
			docs.AcceptsVulnReports,
		},
		"OSPS-DO-03.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasSignatureVerificationGuide,
		},
		"OSPS-DO-03.02": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasIdentityVerificationGuide,
		},
		"OSPS-DO-04.01": {
			docs.HasSupportDocs,
		},
		"OSPS-DO-05.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-DO-06.01": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasDependencyManagementPolicy,
		},
		"OSPS-GV-01.01": {
			reusable_steps.HasSecurityInsightsFile,
			reusable_steps.IsActive,
			governance.CoreTeamIsListed,
			governance.ProjectAdminsListed,
		},
		"OSPS-GV-01.02": {
			governance.HasRolesAndResponsibilities,
		},
		"OSPS-GV-02.01": {
			reusable_steps.HasIssuesOrDiscussionsEnabled,
		},
		"OSPS-GV-03.01": {
			governance.HasContributionGuide,
		},
		"OSPS-GV-03.02": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasSecurityInsightsFile,
			reusable_steps.IsActive,
			governance.HasContributionReviewPolicy,
		},
		"OSPS-GV-04.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-LE-01.01": {
			reusable_steps.GithubTermsOfService,
		},
		"OSPS-LE-02.01": {
			legal.FoundLicense,
			legal.GoodLicense,
		},
		"OSPS-LE-02.02": {
			legal.ReleasesLicensed,
			legal.GoodLicense,
		},
		"OSPS-LE-03.01": {
			legal.FoundLicense,
		},
		"OSPS-LE-03.02": {
			legal.ReleasesLicensed,
		},
		"OSPS-QA-01.01": {
			quality.RepoIsPublic,
		},
		"OSPS-QA-01.02": {
			reusable_steps.GithubBuiltIn,
		},
		"OSPS-QA-02.01": {
			quality.VerifyDependencyManagement,
		},
		"OSPS-QA-02.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-QA-03.01": {
			quality.StatusChecksAreRequiredByRulesets,
			quality.StatusChecksAreRequiredByBranchProtection,
		},
		"OSPS-QA-04.01": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasSecurityInsightsFile,
			reusable_steps.IsActive,
			quality.InsightsListsRepositories,
		},
		"OSPS-QA-04.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-QA-05.01": {
			quality.NoBinariesInRepo,
		},
		"OSPS-QA-05.02": {
			quality.NoUnreviewableBinariesInRepo,
		},
		"OSPS-QA-06.01": {
			reusable_steps.IsCodeRepo,
			quality.HasOneOrMoreStatusChecks,
		},
		"OSPS-QA-06.02": {
			quality.DocumentsTestExecution,
		},
		"OSPS-QA-06.03": {
			reusable_steps.IsCodeRepo,
			quality.DocumentsTestMaintenancePolicy,
		},
		"OSPS-QA-07.01": {
			quality.RequiresNonAuthorApproval,
		},
		"OSPS-SA-01.01": {
			reusable_steps.HasMadeReleases,
			sec_assessment.HasDesignDocumentation,
		},
		"OSPS-SA-02.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-SA-03.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-SA-03.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-01.01": {
			reusable_steps.IsActive,
			reusable_steps.HasSecurityInsightsFile,
			vuln_management.HasVulnerabilityDisclosurePolicy,
		},
		"OSPS-VM-02.01": {
			reusable_steps.IsCodeRepo,
			vuln_management.HasSecContact,
		},
		"OSPS-VM-03.01": {
			reusable_steps.IsActive,
			reusable_steps.HasSecurityInsightsFile,
			vuln_management.HasPrivateVulnerabilityReporting,
		},
		"OSPS-VM-04.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-04.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-05.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-05.03": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-05.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-06.01": {
			reusable_steps.HasDependencyManagementPolicy,
		},
		"OSPS-VM-06.02": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasSecurityInsightsFile,
			vuln_management.SastToolDefined,
		},
	}
)

Functions

func AllSteps added in v0.21.0 

func AllSteps() map[string][]gemara.AssessmentStep

AllSteps merges all step maps into a single map for registration with the SDK. Assessment IDs are unique across catalogs (e.g., OSPS-* vs CRA-*), so the catalog YAML naturally filters to the correct subset at evaluation time. To add a new catalog family, define its step map and include it here.

A single shared map is safe across catalog versions because the OSPS maintenance policy (https://github.com/ossf/security-baseline/blob/main/docs/maintenance.md#identifiers) guarantees that substantive changes to a control result in a new identifier. This means implementations for a given assessment ID will not diverge between versions, so all versions can share the same step function for the same key.

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
osps
access_control
build_release
docs
governance
legal
quality
sec_assessment
vuln_management

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.