evaluation_plans

package
v0.24.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 30, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// OSPS contains assessment step implementations for OSPS Baseline controls.
	// Each catalog YAML defines which IDs are active for that version,
	// so the SDK only runs the relevant subset.
	OSPS = map[string][]TypedStep{
		"OSPS-AC-01.01": {
			reusable_steps.GithubBuiltIn,
		},
		"OSPS-AC-02.01": {
			reusable_steps.GithubBuiltIn,
		},
		"OSPS-AC-03.01": {
			access_control.BranchProtectionRestrictsPushes,
		},
		"OSPS-AC-03.02": {
			access_control.BranchProtectionPreventsDeletion,
		},
		"OSPS-AC-04.01": {
			access_control.WorkflowDefaultReadPermissions,
		},
		"OSPS-AC-04.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-BR-01.01": {
			build_release.CicdSanitizedInputParameters,
		},
		"OSPS-BR-01.02": {
			build_release.CicdBranchNameSanitized,
		},
		"OSPS-BR-02.01": {
			reusable_steps.HasMadeReleases,
			build_release.ReleaseHasUniqueIdentifier,
		},
		"OSPS-BR-02.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-BR-03.01": {
			reusable_steps.HasSecurityInsightsFile,
			build_release.EnsureInsightsLinksUseHTTPS,
		},
		"OSPS-BR-03.02": {
			build_release.DistributionPointsUseHTTPS,
		},
		"OSPS-BR-04.01": {
			reusable_steps.HasMadeReleases,
			build_release.EnsureLatestReleaseHasChangelog,
		},
		"OSPS-BR-05.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-BR-06.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			build_release.InsightsHasSlsaAttestation,
		},
		"OSPS-BR-07.01": {
			build_release.SecretScanningInUse,
		},
		"OSPS-BR-07.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-DO-01.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasUserGuides,
		},
		"OSPS-DO-02.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasIssuesOrDiscussionsEnabled,
			docs.AcceptsVulnReports,
		},
		"OSPS-DO-03.01": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasSignatureVerificationGuide,
		},
		"OSPS-DO-03.02": {
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasIdentityVerificationGuide,
		},
		"OSPS-DO-04.01": {
			docs.HasSupportDocs,
		},
		"OSPS-DO-05.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-DO-06.01": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasMadeReleases,
			reusable_steps.HasSecurityInsightsFile,
			docs.HasDependencyManagementPolicy,
		},
		"OSPS-GV-01.01": {
			reusable_steps.HasSecurityInsightsFile,
			reusable_steps.IsActive,
			governance.CoreTeamIsListed,
			governance.ProjectAdminsListed,
		},
		"OSPS-GV-01.02": {
			governance.HasRolesAndResponsibilities,
		},
		"OSPS-GV-02.01": {
			reusable_steps.HasIssuesOrDiscussionsEnabled,
		},
		"OSPS-GV-03.01": {
			governance.HasContributionGuide,
		},
		"OSPS-GV-03.02": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasSecurityInsightsFile,
			reusable_steps.IsActive,
			governance.HasContributionReviewPolicy,
		},
		"OSPS-GV-04.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-LE-01.01": {
			reusable_steps.GithubTermsOfService,
		},
		"OSPS-LE-02.01": {
			legal.FoundLicense,
			legal.GoodLicense,
		},
		"OSPS-LE-02.02": {
			legal.ReleasesLicensed,
			legal.GoodLicense,
		},
		"OSPS-LE-03.01": {
			legal.FoundLicense,
		},
		"OSPS-LE-03.02": {
			legal.ReleasesLicensed,
		},
		"OSPS-QA-01.01": {
			quality.RepoIsPublic,
		},
		"OSPS-QA-01.02": {
			reusable_steps.GithubBuiltIn,
		},
		"OSPS-QA-02.01": {
			quality.VerifyDependencyManagement,
		},
		"OSPS-QA-02.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-QA-03.01": {
			quality.StatusChecksAreRequiredByRulesets,
			quality.StatusChecksAreRequiredByBranchProtection,
		},
		"OSPS-QA-04.01": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasSecurityInsightsFile,
			reusable_steps.IsActive,
			quality.InsightsListsRepositories,
		},
		"OSPS-QA-04.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-QA-05.01": {
			quality.NoBinariesInRepo,
		},
		"OSPS-QA-05.02": {
			quality.NoUnreviewableBinariesInRepo,
		},
		"OSPS-QA-06.01": {
			reusable_steps.IsCodeRepo,
			quality.HasOneOrMoreStatusChecks,
		},
		"OSPS-QA-06.02": {
			quality.DocumentsTestExecution,
		},
		"OSPS-QA-06.03": {
			reusable_steps.IsCodeRepo,
			quality.DocumentsTestMaintenancePolicy,
		},
		"OSPS-QA-07.01": {
			quality.RequiresNonAuthorApproval,
		},
		"OSPS-SA-01.01": {
			reusable_steps.HasMadeReleases,
			sec_assessment.HasDesignDocumentation,
		},
		"OSPS-SA-02.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-SA-03.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-SA-03.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-01.01": {
			reusable_steps.IsActive,
			reusable_steps.HasSecurityInsightsFile,
			vuln_management.HasVulnerabilityDisclosurePolicy,
		},
		"OSPS-VM-02.01": {
			reusable_steps.IsCodeRepo,
			vuln_management.HasSecContact,
		},
		"OSPS-VM-03.01": {
			reusable_steps.IsActive,
			reusable_steps.HasSecurityInsightsFile,
			vuln_management.HasPrivateVulnerabilityReporting,
		},
		"OSPS-VM-04.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-04.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-05.01": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-05.03": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-05.02": {
			reusable_steps.NotImplemented,
		},
		"OSPS-VM-06.01": {
			reusable_steps.HasDependencyManagementPolicy,
		},
		"OSPS-VM-06.02": {
			reusable_steps.IsCodeRepo,
			reusable_steps.HasSecurityInsightsFile,
			vuln_management.SastToolDefined,
		},
	}
)

Functions

func AllSteps added in v0.21.0

func AllSteps() map[string][]gemara.AssessmentStep

AllSteps merges all step maps into a single map for registration with the SDK. Assessment IDs are unique across catalogs (e.g., OSPS-* vs CRA-*), so the catalog YAML naturally filters to the correct subset at evaluation time. To add a new catalog family, define its step map and include it here.

A single shared map is safe across catalog versions because the OSPS maintenance policy (https://github.com/ossf/security-baseline/blob/main/docs/maintenance.md#identifiers) guarantees that substantive changes to a control result in a new identifier. This means implementations for a given assessment ID will not diverge between versions, so all versions can share the same step function for the same key.

Types

type TypedStep added in v0.24.0

TypedStep is the signature every step in this plugin uses: it receives a fully-typed data.Payload instead of an untyped any. AsAssessmentStep adapts it to gemara.AssessmentStep so the SDK can invoke it; the type assertion replaces the per-step VerifyPayload guard that used to live in every step.

func (TypedStep) AsAssessmentStep added in v0.24.0

func (s TypedStep) AsAssessmentStep() gemara.AssessmentStep

Directories

Path Synopsis
osps

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL