github.com/gemaraproj/gemara@v1.3.0

enforcementlog.cue raw

 1// SPDX-License-Identifier: Apache-2.0
 2
 3// Schema lifecycle: experimental | stable | deprecated
 4@status("experimental")
 5package gemara
 6
 7@go(gemara)
 8
 9// EnforcementLog records actions taken in response to noncompliance findings from Layer 5 evaluations.
10#EnforcementLog: {
11	#Log
12	metadata: type: "EnforcementLog"
13	// disposition is the aggregate enforcement disposition across all actions in this log
14	disposition: #Disposition
15	// actions is the list of enforcement actions performed
16	actions: [#ActionResult, ...#ActionResult] @go(Actions,type=[]*ActionResult)
17	// Enforce that Clear dispositions only contain Passed assessment results
18	actions: [...{
19		if disposition == "Clear" {
20			justification: assessments: [...{result: "Passed"}]
21		}
22	}]
23}
24
25// ActionResult captures a performed enforcement action.
26#ActionResult: {
27	// disposition is the enforcement action taken
28	disposition: #Disposition @go(Disposition)
29
30	// method references the specific AcceptedMethod entry within the Policy being enforced
31	method: #EntryMapping @go(Method)
32
33	// message provides additional context about the action
34	message?: string @go(Message,type=*string)
35
36	// start is the timestamp when the enforcement action began
37	start: #Datetime
38
39	// end is the timestamp when the enforcement action concluded
40	end?: #Datetime
41
42	// steps references the code paths or addresses that carried out this enforcement action
43	steps: [#EnforcementStep, ...#EnforcementStep]
44
45	// justification links the action to its assessment findings and any applicable exceptions
46	justification: #Justification @go(Justification)
47}
48
49// EnforcementStep is a reference to the code that performed an enforcement action
50#EnforcementStep: string @go(-)
51
52// Justification provides the assessment data and exception references that justify an enforcement action.
53#Justification: {
54	// assessments links the action to one or more Assessment Findings
55	assessments: [#AssessmentFinding, ...#AssessmentFinding] @go(Assessments)
56
57	// exceptions references approved Policy exceptions that authorize the action
58	exceptions?: [#ArtifactMapping, ...#ArtifactMapping] @go(Exceptions)
59}
60
61// AssessmentFinding maps an enforcement action to its originating assessment data across Layer 2, Layer 3, and Layer 5.
62#AssessmentFinding: {
63	// result is the assessment outcome that triggered the enforcement action
64	result: #Result
65
66	// requirement maps to the Layer 2 assessment requirement that was evaluated
67	requirement?: #EntryMapping @go(Requirement)
68
69	// plan maps to the Policy assessment plan that was executed
70	plan?: #EntryMapping @go(Plan)
71
72	// log maps to the EvaluationLog entry containing the finding
73	log: #EntryMapping @go(Log)
74}
75
76// Disposition enumerates the possible enforcement outcomes.
77#Disposition:
78	// Enforcement outcome could not be determined.
79	"Undetermined" |
80	// Findings existed and actions were taken.
81	"Enforced" |
82	// Findings existed but were accepted without action.
83	"Tolerated" |
84	// No findings, nothing to act on.
85	"Clear" @go(-)