diff --git a/auditlog.cue b/auditlog.cue index 7e8f9321..cd175a21 100644 --- a/auditlog.cue +++ b/auditlog.cue @@ -67,23 +67,26 @@ package gemara required: *false | bool } -// Evidence records a specific data source consulted during an audit +// Evidence records what was cited to support an opinion for a specific activity: +// raw data for the evaluation layer, evaluation and enforcement artifacts for the audit layer. #Evidence: { // id uniquely identifies this evidence - id?: string + id: string // type categorizes the kind of evidence type: #EvidenceType - // collected is the timestamp when the evidence was gathered - collected: #Datetime @go(Collected) + // collected-at is the timestamp when the evidence was gathered + "collected-at": #Datetime @go(CollectedAt) - // location references the artifact containing this evidence - location: #ArtifactMapping + // payload is the raw evidence data collected + payload?: _ @go(Payload,type=any) // description explains what this evidence represents description?: string } -// EvidenceType categorizes the kind of evidence collected during an audit +// EvidenceType categorizes the kind of evidence. It remains an open enum: +// recommended values include artifact types already known to Gemara (e.g. +// EvaluationLog, EnforcementLog) plus categories for common evidence forms. #EvidenceType: #ArtifactType | string @go(-) diff --git a/evaluationlog.cue b/evaluationlog.cue index 034b0951..056e5704 100644 --- a/evaluationlog.cue +++ b/evaluationlog.cue @@ -55,6 +55,8 @@ package gemara recommendation?: string // ConfidenceLevel indicates the evaluator's confidence level in this specific assessment result. "confidence-level"?: #ConfidenceLevel @go(ConfidenceLevel) + // Evidence records the raw data cited to support this assessment's opinion. + evidence?: [#Evidence, ...#Evidence] @go(Evidence) } #AssessmentStep: string @go(-) diff --git a/test/test-data/good-audit-log.yaml b/test/test-data/good-audit-log.yaml index 6db03483..d5fa8b36 100644 --- a/test/test-data/good-audit-log.yaml +++ b/test/test-data/good-audit-log.yaml @@ -73,10 +73,8 @@ results: evidence: - id: EV-DO-01 type: EvaluationLog - location: - reference-id: eval-log description: "PVTR evaluation results for documentation controls" - collected: "2025-08-22T16:02:00Z" + collected-at: "2025-08-22T16:02:00Z" recommendations: - id: REC-01 text: "Add user guide references to the Security Insights file and publish basic user documentation." @@ -93,10 +91,8 @@ results: evidence: - id: EV-DO-02 type: EnforcementLog - location: - reference-id: enforcement-log description: "Enforcement actions taken for documentation failures" - collected: "2025-08-22T16:05:00Z" + collected-at: "2025-08-22T16:05:00Z" recommendations: - id: REC-02 text: "Formalize the private vulnerability reporting process and document it in SECURITY.md." @@ -112,8 +108,5 @@ results: evidence: - id: EV-QA-01 type: api-response - location: - reference-id: github-api - remarks: "GitHub dependency graph SBOM endpoint" - description: "Dependency manifests from GitHub dependency graph" - collected: "2026-02-10T15:05:00Z" + description: "Dependency manifests from the GitHub dependency graph SBOM endpoint" + collected-at: "2026-02-10T15:05:00Z" diff --git a/test/test-data/pvtr-baseline-scan.yaml b/test/test-data/pvtr-baseline-scan.yaml index 08459b55..42e82e81 100644 --- a/test/test-data/pvtr-baseline-scan.yaml +++ b/test/test-data/pvtr-baseline-scan.yaml @@ -32,6 +32,14 @@ evaluations: steps-executed: 1 start: 2025-08-22T16:02:00.000000000Z end: 2025-08-22T16:02:00.000003708Z + evidence: + - id: EV-AC-01-01 + type: api-response + collected-at: 2025-08-22T16:02:00.000003000Z + payload: + login: revanite-io + two_factor_requirement_enabled: true + description: Organization settings showing org-wide MFA enforcement control: reference-id: OSPS-B entry-id: OSPS-AC-01