CUE Central Registry

github.com/gemaraproj/gemara@v0.23.0

docs/tutorials/index.md raw

 1---
 2layout: page
 3title: Tutorials
 4---
 5
 6## Start here
 7
 8**Gemara Layers — Knowledge, Inputs & Outputs** — Start here if you're new to the model.
 9
10---
11
12## Find Your Tutorial
13
14Pick your goal — each path leads to the right guide.
15
16### Performing a threat assessment
17
18For a system or component → [Threat Assessment Guide](controls/threat-assessment-guide) — identify capabilities and threats, map them to attack surfaces (Layer 2).
19
20### Defining security controls
21
22That mitigate those threats → [Control Catalog Guide](controls/control-catalog-guide) — create a control catalog with assessment requirements and threat-mappings (Layer 2).
23
24### Understanding what threats and controls exist
25
26Before writing policy → [Threat Assessment Guide](controls/threat-assessment-guide)
27
28→ **COMING SOON:** Review or author threat-informed controls that your policy will reference (Layer 2).
29
30### Reviewing the controls to reference in a policy
31
32→ **COMING SOON:** Understand the control catalog structure and assessment requirements (Layer 2).
33
34### Understanding the security posture of consumed software
35
36→ [Threat Assessment Guide](controls/threat-assessment-guide) — review threat catalogs for your dependencies (Layer 2).
37
38→ **COMING SOON:** Use control catalogs (e.g. OSPS, CCC) as hardening guides (Layer 2).
39
40### Creating a guidance catalog from best practices
41
42From a spreadsheet or checklist — create a guidance catalog (guidelines, groups, mapping-references) that threat-informed controls can reference; express relationships to other frameworks in a [Mapping Document](https://gemara.openssf.org/schema/mapping.html). → [Guidance Catalog Guide](guidance/guidance-guide).
43
44### Creating organizational policy
45
46Create a policy document that translates risk appetite into mandatory rules — [Policy Guide](policy/policy-guide) — scope, imports, adherence, and risks (Layer 3).
47
48---
49
50## What You'll Build
51
52| Layer | Artifact | Guide |
53|-------|----------|-------|
54| **Layer 1** — Guidance | Guidance Catalog (guidelines, groups, mapping-references) | [Guidance Catalog Guide](guidance/guidance-guide) |
55| **Layer 2** — Controls | Threat Catalog + Control Catalog (assessment requirements, threats) | [Threat Assessment](controls/threat-assessment-guide), [Control Catalog](controls/control-catalog-guide) |
56| **Layer 3** — Policy   | Policy Document (scope, imports, adherence, risks)                  | [Policy Guide](policy/policy-guide) |
57
58## What You'll Need
59
60- `go` installed
61- `cue` installed for validation
62
63## Have Ideas?
64
65- Reach out via Slack in `#gemara`
66- Discuss in one of our bi-weekly meetings on the [OpenSSF calendar](https://calendar.google.com/calendar/u/0?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)
67- Open a [GitHub Issue](https://github.com/gemaraproj/gemara/issues)