1// SPDX-License-Identifier: Apache-2.0
2
3// Schema lifecycle: experimental | stable | deprecated
4@status("experimental")
5package gemara
6
7@go(gemara)
8
9// EnforcementLog records actions taken in response to noncompliance findings from Layer 5 evaluations.
10#EnforcementLog: {
11 #Log
12 metadata: type: "EnforcementLog"
13 // disposition is the aggregate enforcement disposition across all actions in this log
14 disposition: #Disposition
15 // actions is the list of enforcement actions performed
16 actions: [#ActionResult, ...#ActionResult] @go(Actions,type=[]*ActionResult)
17 // Enforce that Clear dispositions only contain Passed assessment results
18 actions: [...{
19 if disposition == "Clear" {
20 justification: assessments: [...{result: "Passed"}]
21 }
22 }]
23}
24
25// ActionResult captures a performed enforcement action.
26#ActionResult: {
27 // disposition is the enforcement action taken
28 disposition: #Disposition @go(Disposition)
29
30 // method references the specific AcceptedMethod entry within the Policy being enforced
31 method: #EntryMapping @go(Method)
32
33 // message provides additional context about the action
34 message?: string @go(Message,type=*string)
35
36 // start is the timestamp when the enforcement action began
37 start: #Datetime
38
39 // end is the timestamp when the enforcement action concluded
40 end?: #Datetime
41
42 // steps references the code paths or addresses that carried out this enforcement action
43 steps: [#EnforcementStep, ...#EnforcementStep]
44
45 // justification links the action to its assessment findings and any applicable exceptions
46 justification: #Justification @go(Justification)
47}
48
49// EnforcementStep is a reference to the code that performed an enforcement action
50#EnforcementStep: string @go(-)
51
52// Justification provides the assessment data and exception references that justify an enforcement action.
53#Justification: {
54 // assessments links the action to one or more Assessment Findings
55 assessments: [#AssessmentFinding, ...#AssessmentFinding] @go(Assessments)
56
57 // exceptions references approved Policy exceptions that authorize the action
58 exceptions?: [#ArtifactMapping, ...#ArtifactMapping] @go(Exceptions)
59}
60
61// AssessmentFinding maps an enforcement action to its originating assessment data across Layer 2, Layer 3, and Layer 5.
62#AssessmentFinding: {
63 // result is the assessment outcome that triggered the enforcement action
64 result: #Result
65
66 // requirement maps to the Layer 2 assessment requirement that was evaluated
67 requirement?: #EntryMapping @go(Requirement)
68
69 // plan maps to the Policy assessment plan that was executed
70 plan?: #EntryMapping @go(Plan)
71
72 // log maps to the EvaluationLog entry containing the finding
73 log: #EntryMapping @go(Log)
74}
75
76// Disposition enumerates the possible enforcement outcomes.
77#Disposition:
78 // Enforcement outcome could not be determined.
79 "Undetermined" |
80 // Findings existed and actions were taken.
81 "Enforced" |
82 // Findings existed but were accepted without action.
83 "Tolerated" |
84 // No findings, nothing to act on.
85 "Clear" @go(-)