1metadata:
2 id: "enforcement-log-001"
3 type: EnforcementLog
4 gemara-version: "0.20.0"
5 version: "1.0.0"
6 description: "Enforcement actions taken against pvtr evaluation findings for the Gemara repository"
7 author:
8 id: enforcement-engine
9 name: "ComplyTime Enforcement Engine"
10 type: Software
11 version: "1.2.0"
12 uri: "https://github.com/gemaraproj/gemara"
13 mapping-references:
14 - id: OSPS
15 title: "Open Source Project Security Baseline"
16 version: "2025.1"
17 url: "https://github.com/ossf/S2C2F/blob/main/specification/Open_Source_Project_Security_Baseline.md"
18 - id: security-policy
19 title: "Information Security Policy"
20 version: "2.1.0"
21 - id: eval-log
22 title: "pvtr Evaluation Log"
23 version: "2025-08-22"
24 - id: exception-register
25 title: "Approved Exception Register"
26 version: "2025-Q3"
27
28disposition: Enforced
29
30target:
31 id: gemara-repo
32 name: "gemaraproj/gemara"
33 type: Software
34 uri: "https://github.com/gemaraproj/gemara"
35 environment: production
36 owner:
37 name: "Gemara Maintainers"
38 affiliation: "OpenSSF"
39
40actions:
41 - disposition: Enforced
42 method:
43 reference-id: security-policy
44 entry-id: EM-GATE-01
45 message: "Blocked merge: missing user documentation"
46 start: "2025-08-22T16:05:00Z"
47 end: "2025-08-22T16:05:01Z"
48 steps:
49 - github.com/gemaraproj/gemara/enforcement/gate.BlockMerge
50 justification:
51 assessments:
52 - result: Failed
53 requirement:
54 reference-id: OSPS
55 entry-id: OSPS-DO-01.01
56 plan:
57 reference-id: security-policy
58 entry-id: AP-DO-01
59 log:
60 reference-id: eval-log
61 entry-id: OSPS-DO-01
62
63 - disposition: Enforced
64 method:
65 reference-id: security-policy
66 entry-id: EM-REMEDIATE-01
67 message: "Auto-remediation: enabled private vulnerability reporting"
68 start: "2025-08-22T16:06:00Z"
69 end: "2025-08-22T16:06:03Z"
70 steps:
71 - github.com/gemaraproj/gemara/enforcement/remediate.EnablePrivateVulnReporting
72 - github.com/gemaraproj/gemara/enforcement/remediate.VerifyVulnReportingActive
73 justification:
74 assessments:
75 - result: Failed
76 requirement:
77 reference-id: OSPS
78 entry-id: OSPS-DO-02.01
79 plan:
80 reference-id: security-policy
81 entry-id: AP-DO-02
82 log:
83 reference-id: eval-log
84 entry-id: OSPS-DO-02
85
86 - disposition: Clear
87 method:
88 reference-id: security-policy
89 entry-id: EM-PASS-01
90 message: "All access control assessments passed; no enforcement action required"
91 start: "2025-08-22T16:07:00Z"
92 steps:
93 - github.com/gemaraproj/gemara/enforcement/allow.PassThrough
94 justification:
95 assessments:
96 - result: Passed
97 plan:
98 reference-id: security-policy
99 entry-id: AP-AC-01
100 log:
101 reference-id: eval-log
102 entry-id: OSPS-AC-01
103
104 - disposition: Tolerated
105 method:
106 reference-id: security-policy
107 entry-id: EM-WAIVE-01
108 message: "Waived: subproject listing requirement deferred per approved exception EXC-2025-042"
109 start: "2025-08-22T16:08:00Z"
110 end: "2025-08-22T16:08:00Z"
111 steps:
112 - github.com/gemaraproj/gemara/enforcement/waive.RecordException
113 justification:
114 assessments:
115 - result: Failed
116 requirement:
117 reference-id: OSPS
118 entry-id: OSPS-QA-04.01
119 plan:
120 reference-id: security-policy
121 entry-id: AP-QA-04
122 log:
123 reference-id: eval-log
124 entry-id: OSPS-QA-04
125 exceptions:
126 - reference-id: exception-register
127 remarks: "EXC-2025-042: Single-repository projects are exempt from the subproject listing requirement"
128
129 - disposition: Clear
130 method:
131 reference-id: security-policy
132 entry-id: EM-REMEDIATE-01
133 message: "Autoremediation enforcement active; no noncompliance findings to act on"
134 start: "2025-08-22T16:09:00Z"
135 steps:
136 - github.com/gemaraproj/gemara/enforcement/remediate.EnablePrivateVulnReporting
137 justification:
138 assessments:
139 - result: Passed
140 plan:
141 reference-id: security-policy
142 entry-id: AP-DO-02
143 log:
144 reference-id: eval-log
145 entry-id: OSPS-DO-02