1metadata:
2 id: audit-log-001
3 type: AuditLog
4 gemara-version: "1.1.0"
5 version: "1.0.0"
6 description: "Q1 2026 Gemara Audit"
7 author:
8 id: lead-auditor
9 name: "Jane Auditor"
10 type: Human
11 mapping-references:
12 - id: security-policy
13 title: "Information Security Policy"
14 version: "2.1.0"
15 - id: OSPS
16 title: "Open Source Project Security Baseline"
17 version: "2025.1"
18 url: "https://baseline.openssf.org"
19 - id: eval-log
20 title: "PVTR Evaluation Log"
21 version: "2025-08-22"
22 url: "https://artifacts.example.com/eval-logs/pvtr-baseline-scan.yaml"
23 - id: enforcement-log
24 title: "Example Enforcement Log"
25 version: "2025-08-22"
26 url: "https://artifacts.example.com/enforcement-logs/enforcement-log-001.yaml"
27 - id: github-api
28 title: "GitHub Dependency Graph API"
29 version: "2026"
30 url: "https://docs.github.com/en/rest/dependency-graph"
31
32target:
33 id: gemara-repo
34 name: "gemaraproj/gemara"
35 type: Software
36 uri: "https://github.com/gemaraproj/gemara"
37 environment: production
38 owner:
39 name: "Gemara Maintainers"
40 affiliation: "OpenSSF"
41
42owner:
43 responsible:
44 - name: "Jane Auditor"
45 affiliation: "External Audit Firm"
46 accountable:
47 - name: "Project Lead"
48 affiliation: "OpenSSF"
49
50summary: "Access control and quality controls are strong. Documentation controls have gaps requiring remediation."
51
52criteria:
53 - reference-id: security-policy
54
55results:
56 - id: AR-AC-01
57 title: "MFA enforcement verified"
58 type: Strength
59 description: "Multi-factor authentication is enforced at the organization level for all contributors."
60 criteria-reference:
61 reference-id: OSPS
62 entries:
63 - reference-id: OSPS-AC-01
64
65 - id: AR-DO-01
66 title: "User documentation missing"
67 type: Gap
68 description: "No user guide is published or referenced in the Security Insights data."
69 criteria-reference:
70 reference-id: OSPS
71 entries:
72 - reference-id: OSPS-DO-01
73 evidence:
74 - id: EV-DO-01
75 type: EvaluationLog
76 description: "PVTR evaluation results for documentation controls"
77 collected-at: "2025-08-22T16:02:00Z"
78 recommendations:
79 - id: REC-01
80 text: "Add user guide references to the Security Insights file and publish basic user documentation."
81 required: true
82
83 - id: AR-DO-02
84 title: "Vulnerability reporting channel not formalized"
85 type: Finding
86 description: "Private vulnerability reporting was not enabled prior to enforcement remediation."
87 criteria-reference:
88 reference-id: OSPS
89 entries:
90 - reference-id: OSPS-DO-02
91 evidence:
92 - id: EV-DO-02
93 type: EnforcementLog
94 description: "Enforcement actions taken for documentation failures"
95 collected-at: "2025-08-22T16:05:00Z"
96 recommendations:
97 - id: REC-02
98 text: "Formalize the private vulnerability reporting process and document it in SECURITY.md."
99
100 - id: AR-QA-01
101 title: "Dependency manifests present"
102 type: Observation
103 description: "Repository includes dependency manifests and the dependency graph is accessible via GitHub API."
104 criteria-reference:
105 reference-id: OSPS
106 entries:
107 - reference-id: OSPS-QA-02
108 evidence:
109 - id: EV-QA-01
110 type: api-response
111 description: "Dependency manifests from the GitHub dependency graph SBOM endpoint"
112 collected-at: "2026-02-10T15:05:00Z"