github.com/gemaraproj/gemara@v1.3.0

test/test-data/good-audit-log.yaml raw

  1metadata:
  2  id: audit-log-001
  3  type: AuditLog
  4  gemara-version: "1.1.0"
  5  version: "1.0.0"
  6  description: "Q1 2026 Gemara Audit"
  7  author:
  8    id: lead-auditor
  9    name: "Jane Auditor"
 10    type: Human
 11  mapping-references:
 12    - id: security-policy
 13      title: "Information Security Policy"
 14      version: "2.1.0"
 15    - id: OSPS
 16      title: "Open Source Project Security Baseline"
 17      version: "2025.1"
 18      url: "https://baseline.openssf.org"
 19    - id: eval-log
 20      title: "PVTR Evaluation Log"
 21      version: "2025-08-22"
 22      url: "https://artifacts.example.com/eval-logs/pvtr-baseline-scan.yaml"
 23    - id: enforcement-log
 24      title: "Example Enforcement Log"
 25      version: "2025-08-22"
 26      url: "https://artifacts.example.com/enforcement-logs/enforcement-log-001.yaml"
 27    - id: github-api
 28      title: "GitHub Dependency Graph API"
 29      version: "2026"
 30      url: "https://docs.github.com/en/rest/dependency-graph"
 31
 32target:
 33  id: gemara-repo
 34  name: "gemaraproj/gemara"
 35  type: Software
 36  uri: "https://github.com/gemaraproj/gemara"
 37  environment: production
 38  owner:
 39    name: "Gemara Maintainers"
 40    affiliation: "OpenSSF"
 41
 42owner:
 43  responsible:
 44    - name: "Jane Auditor"
 45      affiliation: "External Audit Firm"
 46  accountable:
 47    - name: "Project Lead"
 48      affiliation: "OpenSSF"
 49
 50summary: "Access control and quality controls are strong. Documentation controls have gaps requiring remediation."
 51
 52criteria:
 53  - reference-id: security-policy
 54
 55results:
 56  - id: AR-AC-01
 57    title: "MFA enforcement verified"
 58    type: Strength
 59    description: "Multi-factor authentication is enforced at the organization level for all contributors."
 60    criteria-reference:
 61      reference-id: OSPS
 62      entries:
 63        - reference-id: OSPS-AC-01
 64
 65  - id: AR-DO-01
 66    title: "User documentation missing"
 67    type: Gap
 68    description: "No user guide is published or referenced in the Security Insights data."
 69    criteria-reference:
 70      reference-id: OSPS
 71      entries:
 72        - reference-id: OSPS-DO-01
 73    evidence:
 74      - id: EV-DO-01
 75        type: EvaluationLog
 76        description: "PVTR evaluation results for documentation controls"
 77        collected-at: "2025-08-22T16:02:00Z"
 78    recommendations:
 79      - id: REC-01
 80        text: "Add user guide references to the Security Insights file and publish basic user documentation."
 81        required: true
 82
 83  - id: AR-DO-02
 84    title: "Vulnerability reporting channel not formalized"
 85    type: Finding
 86    description: "Private vulnerability reporting was not enabled prior to enforcement remediation."
 87    criteria-reference:
 88      reference-id: OSPS
 89      entries:
 90        - reference-id: OSPS-DO-02
 91    evidence:
 92      - id: EV-DO-02
 93        type: EnforcementLog
 94        description: "Enforcement actions taken for documentation failures"
 95        collected-at: "2025-08-22T16:05:00Z"
 96    recommendations:
 97      - id: REC-02
 98        text: "Formalize the private vulnerability reporting process and document it in SECURITY.md."
 99
100  - id: AR-QA-01
101    title: "Dependency manifests present"
102    type: Observation
103    description: "Repository includes dependency manifests and the dependency graph is accessible via GitHub API."
104    criteria-reference:
105      reference-id: OSPS
106      entries:
107        - reference-id: OSPS-QA-02
108    evidence:
109      - id: EV-QA-01
110        type: api-response
111        description: "Dependency manifests from the GitHub dependency graph SBOM endpoint"
112        collected-at: "2026-02-10T15:05:00Z"