-
Notifications
You must be signed in to change notification settings - Fork 1
CLI
evidentia-wiki-sync[bot] edited this page Jun 12, 2026
·
2 revisions
Auto-generated page. This page is generated from the live Evidentia codebase by
scripts/wiki/sync_reference.py. Do not edit it by hand; change the underlying code/data and re-run the generator (uv run python scripts/wiki/sync_reference.py).
Every evidentia command, subcommand, and flag, introspected from the live Typer application (evidentia.cli.main.app). Commands are listed alphabetically.
Applied to every command (pass before the subcommand, e.g. evidentia --offline gap analyze ...).
| Flag / argument | Description |
|---|---|
--verbose, -v |
Enable verbose (DEBUG) logging. |
--quiet, -q |
Suppress non-error output. |
--config |
Path to a evidentia.yaml config file. Defaults to walking CWD -> parents for the first evidentia.yaml found. |
--offline |
Air-gapped mode: refuse all outbound network calls. LLM features require an Ollama/vLLM/local endpoint. Use with evidentia doctor --check-air-gap to validate posture. |
--json-logs |
v0.7.0: emit logs as ECS 8.11-compliant JSON (one record per line) instead of human-readable Rich console output. Drop-in ingestable by Splunk / Elastic / Datadog / Sumo Logic / Microsoft Sentinel. Use in SIEM-ingest pipelines and CI systems that parse structured logs. |
--rbac-identity |
v0.9.6: identity string for CLI RBAC enforcement. Overrides EVIDENTIA_RBAC_IDENTITY env var when set. Policy is loaded from EVIDENTIA_RBAC_POLICY_FILE; default policy is permissive (single-tenant admin). |
--rbac-tenant |
v0.9.8: tenant claim for multi-tenant CLI RBAC. Overrides EVIDENTIA_RBAC_TENANT env var when set. Combined with --rbac-identity as @@ at decision time. Ignored when the loaded policy is single-tenant (no behavior change for v0.9.6 operators). |
--install-completion |
Install completion for the current shell. |
--show-completion |
Show completion for the current shell, to copy it or customize the installation. |
AI governance — EU AI Act + NIST AI RMF classification + AI system inventory (v0.9.3 P2).
Set FIPS 199 categorization on an AI system registry entry (v0.9.6 P3).
| Flag / argument | Description |
|---|---|
SYSTEM_ID |
— |
--confidentiality, -c |
FIPS 199 confidentiality impact: low / moderate / high. |
--integrity, -i |
FIPS 199 integrity impact: low / moderate / high. |
--availability, -a |
FIPS 199 availability impact: low / moderate / high. |
--rationale |
Optional free-text justification linking the impact ratings to underlying information types per NIST SP 800-60. |
One-shot classification (no persistence).
| Flag / argument | Description |
|---|---|
--descriptor |
Path to AISystemDescriptor YAML. |
--json |
Emit JSON instead of rich output. |
List registered AI systems.
| Flag / argument | Description |
|---|---|
--tier |
Filter by EU AI Act tier: unacceptable, high, limited, or minimal. |
--json |
Emit JSON instead of a rich table. |
Classify + persist an AI system to the registry.
| Flag / argument | Description |
|---|---|
--descriptor |
Path to AISystemDescriptor YAML. |
--provider |
Vendor or in-house team that supplies the AI system. |
--owner |
Responsible person or team within operator org. |
--deployment-status |
Lifecycle status: proposed / in_development / pilot / production / retired. Default: proposed. |
Retire a registered AI system (sets deployment_status=retired).
| Flag / argument | Description |
|---|---|
SYSTEM_ID |
— |
Set OMB M-24-10 impact category on an AI system entry (v0.9.6 P3).
| Flag / argument | Description |
|---|---|
SYSTEM_ID |
— |
--category |
OMB M-24-10 §5(b) category: rights_impacting / safety_impacting / rights_and_safety_impacting / neither. |
Show one registered AI system in detail.
| Flag / argument | Description |
|---|---|
SYSTEM_ID |
— |
--json |
Emit JSON instead of rich output. |
Update fields on an existing AI system registry entry.
| Flag / argument | Description |
|---|---|
SYSTEM_ID |
— |
--owner |
New responsible person or team. Unchanged if omitted. |
--provider |
New vendor/in-house team. Unchanged if omitted. |
--deployment-status |
New lifecycle status: proposed / in_development / pilot / production / retired. Unchanged if omitted. |
--ssp-reference |
v0.9.6 P3: URI / handle for the System Security Plan. Unchanged if omitted. |
--emit-scr |
v0.9.6 P3: write a Significant Change Request form pair (JSON + Markdown) at .json + .md after the update completes. Category auto-detected from the diff (routine_recurring / adaptive / transformative). |
Framework catalog commands.
Show cross-framework mappings for a control.
| Flag / argument | Description |
|---|---|
--source, -s |
Source framework ID. |
--target, -t |
Target framework ID. |
--control, -c |
Source control ID. |
Import a user-supplied catalog into the local user catalog directory.
| Flag / argument | Description |
|---|---|
[SOURCE] |
— |
--framework-id |
Override the framework_id in the imported file (default: read from file). |
--name |
Override the human-readable framework name. |
--license-terms |
Your statement about the content's source and licensing. |
--force |
Overwrite an existing user-imported framework with the same ID. |
--profile |
OSCAL profile JSON to resolve. Pair with --catalog. |
--catalog |
OSCAL source catalog JSON (used with --profile). |
--tier |
Redistribution tier of imported content (A/B/C/D). Default C. |
--catalog-dir |
Override user catalog directory (also via EVIDENTIA_CATALOG_DIR). |
Show licensing information for a framework (tier, terms, source URL).
| Flag / argument | Description |
|---|---|
FRAMEWORK_ID |
— |
List available framework catalogs, with optional filters.
| Flag / argument | Description |
|---|---|
--tier |
Filter by redistribution tier: A, B, C, or D. |
--category |
Filter by catalog type: control, technique, vulnerability, obligation. |
--bundled-only |
Show only catalogs shipped with the package. |
--user-only |
Show only user-imported catalogs. |
Remove a user-imported framework (bundled catalogs are never touched).
| Flag / argument | Description |
|---|---|
FRAMEWORK_ID |
— |
--catalog-dir |
Override user catalog directory. |
--yes, -y |
Skip confirmation prompt. |
Show controls in a framework catalog (or detail for one control).
| Flag / argument | Description |
|---|---|
FRAMEWORK |
— |
--control, -c |
Show detail for a specific control ID. |
Show where a framework is resolved from (user, bundled, or not found).
| Flag / argument | Description |
|---|---|
FRAMEWORK_ID |
— |
--catalog-dir |
Override user catalog directory. |
Evidence collectors — AWS, GitHub, etc.
Collect evidence from AWS Config + Security Hub.
| Flag / argument | Description |
|---|---|
--region, -r |
AWS region. Defaults to the SDK's resolved region. |
--profile, -p |
Optional AWS profile from ~/.aws/credentials. |
--include-config, --no-config |
Pull AWS Config non-compliant rule evaluations. |
--include-security-hub, --no-security-hub |
Pull Security Hub active findings. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Collect compliance evidence from a BitSight portfolio (read-only).
| Flag / argument | Description |
|---|---|
--token-env |
Name of the env var holding the BitSight API token. Defaults to BITSIGHT_API_TOKEN. The collector wraps the token in HTTP Basic auth (token:empty-password) internally; the token never appears in URLs. |
--base-url |
BitSight API base URL. |
--max-companies |
Hard cap on portfolio enumeration. Default 2000 — covers typical portfolios. |
--rating-threshold |
BitSight rating below which to emit a low-rating finding. Default 700 (BitSight's 'Basic' boundary between B and C grades). Range 250-900. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Convert SecurityFinding JSON to another format (v0.10.1).
| Flag / argument | Description |
|---|---|
--input, -i |
Path to a JSON file containing a list of SecurityFinding objects (as produced by any evidentia collect ... command). |
--format, -f |
Output format. Currently only ocsf (OCSF Compliance Finding bundle) is supported; future releases may add more. |
--output, -o |
Where to write the converted JSON. Default: stdout. |
Collect compliance evidence from a Databricks workspace (read-only).
| Flag / argument | Description |
|---|---|
--workspace-url, -w |
Databricks workspace URL. Example: https://my-workspace.cloud.databricks.com. Auth is delegated to the Databricks SDK's unified-auth resolver — set DATABRICKS_TOKEN env var (PAT) OR configure Azure AD / AWS IAM / OAuth M2M / .databrickscfg. The collector NEVER accepts a token via CLI flag per the secret-handling protocol. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Collect compliance evidence from a Drata workspace (read-only).
| Flag / argument | Description |
|---|---|
--token-env |
Name of the env var holding the Drata API token. The CLI reads from this env var rather than accepting the token as a flag (per secret-handling protocol). Defaults to DRATA_API_TOKEN. |
--base-url |
Drata Public API base URL. Override for staging / dev tenants. |
--max-vendors |
Hard cap on vendor enumeration. Default 2000 — covers typical orgs without unbounded pagination. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Collect evidence from a GitHub repository.
| Flag / argument | Description |
|---|---|
--repo, -r |
GitHub repository in 'owner/repo' format. |
--token |
GitHub personal access token. Defaults to $GITHUB_TOKEN. Required for private repos and higher rate limits. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Ingest OCSF Compliance / Detection Finding JSON (v0.10.1).
| Flag / argument | Description |
|---|---|
--input, -i |
OCSF JSON source — path to a local file OR an https:// URL. Accepts either a single OCSF finding or a JSON list. |
--output, -o |
Where to write the converted SecurityFinding JSON. Default: stdout. |
--url-timeout |
HTTP connect/read timeout in seconds (URL mode only). Default 10s. |
--url-max-bytes |
HTTP response body cap in bytes (URL mode only). Default 50 MB. |
--block-private-ips, --allow-private-ips |
(URL mode only, v0.10.2 F-V101-L1 close-out) Reject URLs that resolve to RFC1918 / link-local / loopback / multicast / reserved ranges before opening the connection. Default True — closes the SSRF surface that could otherwise expose AWS / GCP / Azure instance-metadata endpoints (169.254.169.254) or internal services. Use --allow-private-ips to override for trusted internal endpoints. |
Collect evidence from an Okta org (read-only).
| Flag / argument | Description |
|---|---|
--org-url, -u |
Okta org URL (e.g., https://your-org.okta.com). |
--inactive-threshold-days |
Days since last login that mark an ACTIVE user as inactive. Default: 90 (per AC-2(3)). |
--max-users |
Hard cap on user enumeration. Default: 10000. Increase only if your org is genuinely larger. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Collect compliance evidence from a SecurityScorecard portfolio (read-only).
| Flag / argument | Description |
|---|---|
--portfolio-id |
SSC portfolio identifier. If omitted, the collector lists portfolios first and pulls from the first available one. |
--token-env |
Name of the env var holding the SSC API token. Defaults to SECURITYSCORECARD_API_TOKEN. The collector passes Authorization: Token headers. |
--base-url |
SecurityScorecard API base URL. |
--max-companies |
Hard cap on portfolio enumeration. Default 2000 — covers typical portfolios. |
--score-threshold |
SSC score below which to emit a low-score finding. Default 70 (boundary between C and D grades). Range 0-100. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Collect compliance evidence from a Snowflake account (read-only).
| Flag / argument | Description |
|---|---|
--account, -a |
Snowflake account locator. Example: 'acme-prod' or 'acme-prod.us-east-1'. The driver appends '.snowflakecomputing.com' automatically. |
--user, -u |
Snowflake user for the audit principal. Recommended: dedicated EVIDENTIA_AUDIT_RO user with MONITOR USAGE on account + IMPORTED PRIVILEGES on the SNOWFLAKE shared database. |
--password-env |
Name of the env var holding the password. The CLI reads from this env var rather than accepting the password as a flag (per secret-handling protocol). Defaults to SNOWFLAKE_PASSWORD. |
--private-key-path |
Path to a PEM-encoded RSA private key for key-pair authentication. Preferred over password for production deployments. When set, --password-env is ignored. |
--warehouse, -w |
Optional warehouse name. Audit principals SHOULD use a dedicated low-cost warehouse (e.g. EVIDENTIA_AUDIT_WH XS auto-suspend 60s). |
--role, -r |
Optional role name. Defaults to the user's default role. |
--login-history-window-days |
How many days back to scan in LOGIN_HISTORY. Defaults to 90 (industry-standard window). |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Collect compliance evidence from a SQL database (read-only).
| Flag / argument | Description |
|---|---|
--adapter, -a |
SQL adapter: postgres, mysql, sqlite, mssql, oracle. |
--connection-uri, -u |
Database connection URI WITHOUT embedded password. Example: postgres://reader@db.example.com/app?sslmode=require. Pass the password via the --password-env env var. |
--password-env |
Environment variable containing the DB password. Default: EVIDENTIA_POSTGRES_PASSWORD. The collector refuses to read the password from a CLI flag per the secret-handling protocol. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Collect compliance evidence from a Vanta TPRM workspace (read-only).
| Flag / argument | Description |
|---|---|
--token-env |
Name of the env var holding the Vanta API token. The CLI reads from this env var rather than accepting the token as a flag (per secret-handling protocol). Defaults to VANTA_API_TOKEN. The token can be either a Personal Access Token (developer / scripting use) or a pre-acquired OAuth 2.0 access token; both pass Authorization: Bearer . |
--base-url |
Vanta Public API base URL. Override for staging / dev tenants. |
--max-vendors |
Hard cap on vendor enumeration. Default 2000 — covers typical orgs without unbounded pagination. |
--output, -o |
Where to write the findings JSON. Default: stdout. |
Continuous Monitoring cycle calendar — read-only library for assessment + reporting cadences (v0.9.0 P3).
Report due-soon + overdue cycles from a tracked-state YAML.
| Flag / argument | Description |
|---|---|
--state-file |
YAML mapping {cadence_slug: ISO-8601-date} of last-completed dates per cycle. Canonical flag (v0.9.6 P1.4 normalized name; matches conmon watch, conmon health, and conmon mark-completed). Unknown slugs are warned (not errored). |
--last-completed-file |
DEPRECATED v0.9.6: use --state-file. This name is retained for a 6-month deprecation window; removal target = v1.0. Emits a DeprecationWarning when set. |
--today |
Override 'today' for deterministic CLI snapshots (YYYY-MM-DD). Production operators omit this flag. |
--window-days |
Due-soon window (days from today). Default: 14 days. Overdue cycles always surface regardless of this window. |
--json |
Emit JSON instead of human-readable tables. |
Inspect the alert-dedup state file.
| Flag / argument | Description |
|---|---|
--alert-dedup-file |
Path to the alert deduplication state file written by the conmon watch daemon. Missing file yields empty result. |
--slug |
Optional cadence-slug filter (exact match). |
--suppression-hours |
Suppression window used for the 'remaining' column. Should match the daemon's --alert-suppression-hours. Default: 24. |
--json |
Emit JSON instead of a rich table. |
Aggregate CONMON cycle health by framework.
| Flag / argument | Description |
|---|---|
--state-file |
YAML mapping {cadence_slug: ISO-8601-date} of last-completed dates. Same schema as evidentia conmon check --state-file. |
--today |
Override 'today' for deterministic snapshots (YYYY-MM-DD). Omit for real-time reports. |
--window-days |
Due-soon window in days. Default: 14. |
--framework, -f |
Restrict report to a single framework (e.g., nist-800-53-rev5). |
--json |
Emit machine-readable JSON instead of a rich table. |
List bundled + registered CONMON cadences.
| Flag / argument | Description |
|---|---|
--framework, -f |
Filter to cadences for a specific framework (e.g., nist-800-53-rev5, fedramp-rev5-mod, cmmc-v2). |
--json |
Emit machine-readable JSON instead of a rich table. |
Record a CONMON cycle completion in the state file.
| Flag / argument | Description |
|---|---|
SLUG |
— |
--when |
ISO-8601 date of cycle completion (YYYY-MM-DD). |
--state-file |
Path to the YAML state file the daemon polls. Created if it does not exist. |
--state-lock |
Acquire a sidecar file lock on .lock around the read-modify-write cycle. Opt-in (default off) preserves v0.9.3 single-writer perf path. Use when multiple processes (automation + human; multiple CI jobs) may mark completion against the same state file. Closes v0.9.3 F-V93-Q3 HIGH (race-condition). |
Compute the next-due date for a registered cadence.
| Flag / argument | Description |
|---|---|
SLUG |
— |
--last-completed |
ISO-8601 date of the last completed cycle. |
--json |
Emit JSON instead of human form. |
Long-running poll daemon for CONMON cycle attention-state.
| Flag / argument | Description |
|---|---|
--state-file |
YAML mapping {cadence_slug: ISO-8601-date} of last-completed dates. Re-read each poll cycle so operators can mark cycles completed without daemon restart. Missing file is tolerated — the daemon logs + retries. |
--poll-interval |
Seconds between poll cycles. Default: 3600s (1 hour). Minimum: 60s — sub-minute polling adds no signal for daily/weekly/monthly CONMON cadences. |
--window-days |
Due-soon window (days from today). Default: 14 days. Overdue cycles always surface regardless of this window. |
--alert-dedup-file |
Path to alerting deduplication state file (JSON). Required when any --smtp-* or --webhook-* flag is set. Prevents the same (slug, state) from re-alerting on every poll within the suppression window. |
--alert-suppression-hours |
Suppression window per (slug, state). Default: 24h. Set to 0 to alert on every detection (useful for testing; never in prod). |
--smtp-host |
SMTP server hostname. Enables SMTP alerting when set. |
--smtp-port |
SMTP server port. Default: 587 (STARTTLS submission). |
--smtp-username |
SMTP auth username. Omit for unauthenticated relays. |
--smtp-password-file |
Path to file containing SMTP password. Resolution precedence: this flag > EVIDENTIA_SMTP_PASSWORD env. CLI value flags for passwords are not accepted. |
--smtp-sender |
From: address. Required when --smtp-host is set. |
--smtp-recipient |
To: address (repeatable). At least one required when --smtp-host is set. |
--webhook-url |
HTTPS webhook URL. POSTs signed JSON payload on each alert. Enables webhook alerting when set. |
--webhook-secret-file |
Path to file containing webhook HMAC-SHA256 secret. Resolution precedence: this flag > EVIDENTIA_WEBHOOK_SECRET env. CLI value flags for secrets are not accepted. |
--webhook-allow-plaintext |
Permit http:// (cleartext) webhook URLs. Default off rejects cleartext to prevent payload + HMAC-header leakage to on-path attackers. v0.9.4 P1.2 closes F-V93-S2 MEDIUM (CWE-918 SSRF). |
--webhook-allow-private-network |
Permit webhook URLs resolving to loopback / RFC1918 / link-local / reserved IP ranges. Default off prevents SSRF + cloud-metadata-service exfiltration (169.254.169.254 IAM-credential leak vector). Opt in for legitimate on-host proxies or on-cluster receivers. v0.9.4 P1.2 closes F-V93-S2 MEDIUM (CWE-918). |
--state-lock |
Acquire sidecar file locks (.lock and .lock) around read-modify-write cycles. Opt-in (default off) preserves v0.9.3 single-writer perf path. Use when multiple processes (automation + human; multiple daemon instances against shared state) may race. Closes v0.9.3 F-V93-Q3 HIGH. |
--status-file |
JSON sidecar path the daemon writes after each poll cycle (last_poll_at, outcome, tracked_cadence_count, uptime). Pairs with GET /api/conmon/daemon-status for operator health-check visibility. Configure the server with EVIDENTIA_CONMON_DAEMON_STATUS_FILE=. Default off. |
--history-file |
JSONL rolling-history path the daemon appends to after each poll cycle. Pairs with GET /api/conmon/daemon-history for operator flap-detection visibility. Configure the server with EVIDENTIA_CONMON_DAEMON_HISTORY_FILE=. Trimmed to --history-max-entries entries on each append. Default off. |
--history-max-entries |
Cap on retained history entries. 100 × 1-hour poll interval = ~4 days of flap-detection visibility. Operators with shorter intervals or wanting longer history can raise this. |
Run a diagnostic check of the Evidentia installation.
| Flag / argument | Description |
|---|---|
--check-air-gap |
Run the air-gap validator: enumerate every subsystem that issues network calls and report each one's offline posture (Ollama-ready, custom api_base on loopback, or cloud-only). |
DFAH determinism harness (v0.8.0 P0.1). Validates that AI-driven artifact generation is auditor-defensibly reproducible.
Run the DFAH harness against the live RiskStatementGenerator.
| Flag / argument | Description |
|---|---|
--context, -c |
Path to system context YAML file (per evidentia risk generate --context). |
--gaps, -g |
Path to a gap report JSON (from evidentia gap analyze). |
--gap-id |
Run determinism check against a single gap by ID (otherwise all gaps). |
--limit, -n |
Maximum number of gaps to process (post --gap-id filter). |
--samples-per-prompt |
Number of generation calls per gap. Each call is a live LLM round-trip; 5×N gaps × per-call latency = the wall-clock cost. Operators tune for their LLM provider rate-limits + token budget. |
--fail-on-determinism-rate-below |
Exit 1 if the overall determinism rate falls below this threshold. Default 0.95 per arXiv 2601.15322 DFAH guidance. |
--output, -o |
Write the EvalResult JSON to this path. When omitted, only the summary line goes to stdout. |
--model, -m |
LiteLLM model identifier passed through to RiskStatementGenerator. Defaults to whatever the EVIDENTIA_LLM_MODEL env var or evidentia.yaml specifies. |
--temperature |
Sampling temperature. 0.0 maximises determinism; the harness will report violations if the LLM provider is non-deterministic at this temperature. |
--check-replay |
Additionally run a single replay-equivalence pass per gap (re-uses the determinism context). |
--sign, --no-sign |
v0.8.2 P3.2: produce a Sigstore bundle alongside the JSON output. Default: auto-detect — sign in CI release context (GITHUB_ACTIONS=true with an OIDC token available), skip otherwise. Requires --output. The bundle proves the eval was produced by a specific OIDC identity at a specific time — auditor-defensible evidence. |
--check-faithfulness |
v0.8.5 P1: also score each sample's modal output for faithfulness — the second arXiv 2601.15322 metric. Decomposes each generation into atomic claims (via LLM extraction) + scores each claim against the sample's source clauses. Requires --source-clauses-file. |
--faithfulness-threshold |
Minimum claim-score below which a FAITHFULNESS_VIOLATION fires. When unset (default), looks up the framework-aware default (NIST 0.60 / FFIEC 0.35 / ISO27001 0.30) for the per-prompt framework when --faithfulness-threshold-mode is 'framework-aware' (default), or 0.30 framework-agnostic when 'fixed'. Explicit values always win over the mode flag. Per-corpus calibration via scripts/tune_faithfulness_threshold.py. |
--faithfulness-method |
Scoring method: 'jaccard' (stdlib; default) or 'semantic' (requires pip install evidentia-ai[eval-faithfulness]). |
--faithfulness-threshold-mode |
v0.8.7 P2: how to resolve the threshold when --faithfulness-threshold is unset. 'framework-aware' (default) extracts framework from the prompt_id (format :<control_id>) + looks up the v0.8.5-empirical per-framework default via evidentia_eval.faithfulness.resolve_threshold(). 'fixed' uses the framework-agnostic 0.30 default. Explicit --faithfulness-threshold value always wins. |
--source-clauses-file |
Path to YAML mapping prompt_id → list[str] of source clauses. prompt_id matches the gap's ':<control_id>' (or ':<control_id>#N' for gap-disambiguation). Required when --check-faithfulness is set. |
Run the harness against a built-in deterministic stub.
| Flag / argument | Description |
|---|---|
--samples-per-prompt, -n |
Number of generation calls per prompt for the determinism check. |
--fail-on-determinism-rate-below |
Exit 1 if the overall determinism rate falls below this threshold. Default 0.95 (per arXiv 2601.15322 DFAH guidance). |
--output, -o |
Write the full :class:EvalResult JSON to this path. When omitted, only the summary line goes to stdout. |
--sign, --no-sign |
v0.8.2 P3.2: produce a Sigstore bundle alongside the JSON output (audit-grade evidence). Default: auto-detect — sign in CI release context (GITHUB_ACTIONS=true with an OIDC token available), skip otherwise. Requires --output to be set; explicit --sign without --output is a no-op. |
v0.8.2 P3.2: verify a signed eval output.
| Flag / argument | Description |
|---|---|
OUTPUT_PATH |
— |
--bundle, -b |
Path to the Sigstore bundle. Defaults to <output_path>.sigstore.json (the canonical naming from --sign). |
--expected-identity |
Optional. Require the signer's certificate identity to match (e.g., the GitHub Actions workflow URL for a tagged release: 'https://github.com///.github/workflows/release.yml@refs/tags/'). Must be paired with --expected-issuer (cosign model). |
--expected-issuer |
Optional. Require the OIDC issuer to match (e.g., 'https://token.actions.githubusercontent.com'). Must be paired with --expected-identity (cosign model). |
Evidence-artifact lineage commands — WORM-enforced append-only versioning (v0.9.6 P2).
Walk a lineage chain — list every persisted version with timestamps.
| Flag / argument | Description |
|---|---|
LINEAGE_ID |
— |
--store-dir |
Override the evidence-store directory. Defaults to $EVIDENTIA_EVIDENCE_STORE_DIR or platformdirs. |
--json |
Emit a structured JSON list instead of human text. |
Persist an evidence artifact (new lineage or new version).
| Flag / argument | Description |
|---|---|
YAML_FILE |
— |
--store-dir |
Override the evidence-store directory. Defaults to $EVIDENTIA_EVIDENCE_STORE_DIR or platformdirs. |
--json |
Emit a structured JSON summary instead of human text. |
Render one specific version of a lineage chain.
| Flag / argument | Description |
|---|---|
LINEAGE_ID |
— |
--version, -V |
Sequence number within the lineage chain (>=1). |
--store-dir |
Override the evidence-store directory. Defaults to $EVIDENTIA_EVIDENCE_STORE_DIR or platformdirs. |
--json |
Emit the artifact as JSON (the full model_dump). |
Plain-English LLM-generated control explanations.
Manage the explanation cache.
Remove all cached explanations.
| Flag / argument | Description |
|---|---|
--yes, -y |
Skip confirmation prompt. |
Show the cache directory location.
Translate a compliance control into plain English.
| Flag / argument | Description |
|---|---|
CONTROL_ID |
— |
--framework, -f |
Framework ID the control belongs to (e.g. 'nist-800-53-rev5'). Reads from evidentia.yaml when --framework is omitted and exactly one framework is configured. |
--model, -m |
LLM model. Defaults to $EVIDENTIA_LLM_MODEL, then evidentia.yaml llm.model, then 'gpt-4o'. |
--refresh |
Force re-generation even if a cached explanation exists. |
--format |
Output format: panel (Rich box, default), markdown, json. |
--output, -o |
Write to this file instead of stdout. |
Gap analysis commands.
Run gap analysis against one or more frameworks.
| Flag / argument | Description |
|---|---|
--inventory, -i |
Path to control inventory (YAML, CSV, or JSON). |
--frameworks, -f |
Comma-separated framework IDs, e.g. 'nist-800-53-mod,soc2-tsc'. Defaults to frameworks: list in evidentia.yaml when omitted. |
--output, -o |
Output file path for the report. |
--format |
Output format: json, csv, markdown, oscal-ar, sarif, ocsf, ocsf-detection (v0.10.5 — OCSF class_uid 2004, SIEM-target), cyclonedx-vex (v0.10.5 — CycloneDX 1.6 VEX, supply-chain). |
--show-efficiency-opportunities, --no-efficiency |
Include cross-framework efficiency analysis. |
--min-efficiency-frameworks |
Minimum frameworks for an efficiency opportunity. |
--organization, -O |
Override the organization name in the loaded inventory. Useful for CSV inputs (which have no org field) or when the inventory file's org name doesn't match the report recipient. |
--system-name |
Override the system / product name in the loaded inventory. Surfaces in report headers alongside the organization name. |
--findings |
Optional collector findings JSON (v0.7.0). When supplied with --format oscal-ar, each finding is embedded in the AR's back-matter with a SHA-256 digest and cross-referenced from observations sharing a control ID. Produce with evidentia collect aws --output ... or evidentia collect github .... |
--vendor-inventory |
Optional TPRM vendor inventory JSON (v0.7.9 P0.5). When supplied with --format oscal-ar, each vendor is added to the AR's metadata.parties[] (standard OSCAL discovery) AND back-matter.resources[] (tamper-evident vendor record with SHA-256 hash). Produce with evidentia tprm vendor list --json > vendors.json. |
--sign-with-gpg |
Optional GPG key ID (v0.7.0). When supplied with --format oscal-ar, the exported JSON is signed with a detached ASCII-armored signature written to .asc. Verify with evidentia oscal verify <output> --require-signature.
|
--sign-with-sigstore |
Optional Sigstore/Rekor signing (v0.7.0). When supplied with --format oscal-ar, the exported JSON is keyless-signed via Fulcio + Rekor using the workflow's ambient OIDC identity (GitHub Actions, Google Workload Identity, AWS, etc.). Bundle written to .sigstore.json by default. Coexists with --sign-with-gpg for defence-in-depth. Refused in air-gap mode (use GPG instead). Requires the [sigstore] extra: pip install 'evidentia-core[sigstore]'.
|
--sigstore-bundle |
Custom Sigstore bundle output path. Defaults to .sigstore.json. Only used with --sign-with-sigstore. |
--sigstore-identity-token |
Optional explicit OIDC token for Sigstore signing. When omitted, sigstore-python's detect_credential() resolves it from ambient GitHub Actions / GCP / AWS environment. Read from $SIGSTORE_ID_TOKEN if not passed. |
Compare two gap-analysis snapshots.
| Flag / argument | Description |
|---|---|
--base, -b |
Base gap report JSON (the 'before' state). If omitted with --head also omitted, auto-picks the two most recent reports from the gap store. |
--head, -H |
Head gap report JSON (the 'after' state). |
--fail-on-regression |
Exit with code 1 if new gaps were opened or severities increased. Use this in CI to fail PR checks on compliance regressions. |
--format |
Output format: console (Rich tables, default), json (machine-readable), markdown (PR-comment friendly), github (Actions workflow annotations). |
--output, -o |
Write diff to this file instead of stdout. |
Governance — Three Lines of Defense + Effective Challenge (v0.7.10 P1.5).
Effective Challenge log commands.
Add a new effective-challenge log record.
| Flag / argument | Description |
|---|---|
--subject-model-id |
ModelInventory.id being challenged. |
--challenger-email |
Email of the independent challenger. |
--challenger-role |
Challenger's role label (e.g., 'MRM Director'). |
--challenge-date |
ISO-8601 date the challenge event occurred (YYYY-MM-DD). |
--challenge-topic |
Short topic label. |
--challenge-substance |
Full substantive challenge text. |
--response |
Model owner's documented response (optional; can be added later via edit). |
--outcome |
Outcome: accepted / rejected / modify / pending. |
--outcome-rationale |
Rationale for the outcome decision. |
--resolved-at |
ISO-8601 date the challenge was resolved. |
List challenge records sorted newest-first by challenge_date.
| Flag / argument | Description |
|---|---|
--subject-model-id |
Filter by subject ModelInventory.id. |
--outcome |
Filter by outcome: accepted / rejected / modify / pending. |
--json |
Emit machine-readable JSON array instead of a table. |
Show a single challenge record by ID.
| Flag / argument | Description |
|---|---|
CHALLENGE_ID |
— |
--json |
Emit machine-readable JSON instead of formatted text. |
Generate a Three Lines of Defense distribution report.
| Flag / argument | Description |
|---|---|
--classifications, -c |
Path to a YAML overlay listing owners + line-of-defense classifications. See evidentia governance lines-report --help for the expected YAML shape. |
--output, -o |
Output path. If omitted, prints to stdout. |
--force |
Overwrite the output path if it already exists. |
KRI / KPI / KGI metric definitions + observations + reports.
Add a new KRI / KPI / KGI metric.
| Flag / argument | Description |
|---|---|
--name, -n |
Metric name. |
--description |
What this metric measures + why it's tracked. |
--kind |
kri / kpi / kgi. |
--direction |
higher_is_worse / higher_is_better. |
--unit |
Measurement unit (e.g., 'per 1000 logins', 'days', '%'). |
--owner-email |
Email of the metric owner (optional). |
--warning-threshold |
Watch threshold; semantics drive direction. |
--critical-threshold |
Breach threshold; semantics drive direction. |
--notes |
Optional free-text notes. |
Delete a metric by ID.
| Flag / argument | Description |
|---|---|
METRIC_ID |
— |
--yes |
Skip confirmation prompt. |
List metrics (filterable by kind).
| Flag / argument | Description |
|---|---|
--kind |
Filter by kri / kpi / kgi. |
--json |
Emit machine-readable JSON array. |
Record a new observation against an existing metric.
| Flag / argument | Description |
|---|---|
METRIC_ID |
— |
--value |
Observation value. |
--observed-at |
ISO-8601 date (YYYY-MM-DD) the observation was recorded. |
--note |
Optional contextual note. |
Generate a Markdown dashboard report across all metrics.
| Flag / argument | Description |
|---|---|
--output, -o |
Output path. If omitted, prints to stdout. |
--force |
Overwrite the output path if it exists. |
Show a single metric with full observation history.
| Flag / argument | Description |
|---|---|
METRIC_ID |
— |
--json |
Emit machine-readable JSON. |
Process-as-code governance workflows (change-approval, review cycles, etc.).
Transition a workflow step to a new status.
| Flag / argument | Description |
|---|---|
WORKFLOW_ID |
— |
--step |
Step index (0-based) to transition. |
--new-status |
approved / rejected / skipped / in_progress. |
--actor |
Actor identity (typically email). |
--note |
Optional rationale / approval note. |
Delete a workflow record by ID.
| Flag / argument | Description |
|---|---|
WORKFLOW_ID |
— |
--yes |
Skip confirmation prompt. |
List all workflows newest-first.
| Flag / argument | Description |
|---|---|
--json |
Emit machine-readable JSON array. |
Emit a Markdown audit-log of the workflow's full lifecycle.
| Flag / argument | Description |
|---|---|
WORKFLOW_ID |
— |
--output, -o |
Output path. If omitted, prints to stdout. |
--force |
Overwrite the output path if it exists. |
Instantiate a workflow from a YAML template + persist it.
| Flag / argument | Description |
|---|---|
--template, -t |
Path to a YAML workflow-template file. |
Show a single workflow's current state.
| Flag / argument | Description |
|---|---|
WORKFLOW_ID |
— |
--json |
Emit machine-readable JSON instead of formatted text. |
Initialize a new Evidentia project.
| Flag / argument | Description |
|---|---|
--directory, -d |
Target directory for the new project (default: current directory). |
--frameworks, -f |
Comma-separated default framework IDs. |
--organization, -o |
Organization name used in the generated evidentia.yaml. |
--preset |
Starter control set for my-controls.yaml. One of: soc2-starter, nist-moderate-starter, hipaa-starter, cmmc-starter, empty. |
--force |
Overwrite existing files. |
Output integrations — Jira, ServiceNow, etc.
Jira Cloud integration — push gaps as issues + status sync.
Push open gaps from a report as Jira issues.
| Flag / argument | Description |
|---|---|
--gaps, -g |
Path to a GapAnalysisReport JSON (from gap analyze --output). |
--severity, -s |
Comma-separated severities to push. E.g. 'critical,high'. Default: all severities. |
--max |
Safety rail: cap total creates. Good for first-time runs. |
--output, -o |
Where to write the updated report. Default: overwrite the input. Pass '-' to skip the write (dry-run). |
Print the Jira-status <-> GapStatus mapping currently in use.
| Flag / argument | Description |
|---|---|
--format, -f |
Output format: 'table' or 'json'. |
Pull status from Jira for every linked gap in the report.
| Flag / argument | Description |
|---|---|
--gaps, -g |
Path to a GapAnalysisReport JSON to sync. |
--output, -o |
Where to write the updated report. Default: overwrite the input. |
Verify Jira credentials + project access.
Power BI integration — push gap inventory + risk register + collection-run audit trail to a Power BI workspace.
Push gap inventory + risk register to Power BI as Push Datasets.
| Flag / argument | Description |
|---|---|
--gaps |
Path to a gap-analysis report JSON file. |
--workspace-id |
Power BI workspace ID (UUID). |
--tenant-id |
Azure AD tenant ID (UUID). |
--client-id |
Azure AD service-principal application (client) ID. Must have Dataset.ReadWrite.All on the target workspace. |
--client-secret-env |
Name of the env var holding the service-principal client secret. The CLI reads from this env var (never accepts the secret as a flag value). |
--risks |
Optional path to a JSON list of RiskStatement objects. |
--no-clear |
If set, append rows to existing datasets rather than clearing them first (default behavior is full-refresh via clear-then-push). |
ServiceNow integration — push gaps as records (incident / sn_grc_issue / custom).
Push open gaps from a report as ServiceNow records.
| Flag / argument | Description |
|---|---|
--gaps, -g |
Path to a GapAnalysisReport JSON. |
--force |
Create new records even if a matching correlation_id already exists. Rarely needed; mostly for testing. |
Verify ServiceNow credentials + table read access.
Tableau integration — publish gap inventory + risk register + collection-run audit trail to Tableau Server / Cloud.
Publish gap inventory + risk register to Tableau as data sources.
| Flag / argument | Description |
|---|---|
--gaps |
Path to a gap-analysis report JSON file (the output of 'evidentia gap analyze --output ...'). |
--server-url |
Tableau Server / Cloud base URL. Example: 'https://us-east-1.online.tableau.com' or 'https://tableau.acme.example.com'. NO trailing slash. |
--site-id |
Tableau site ID slug. For Tableau Cloud, this is the site you signed up for; for Tableau Server's default site, leave empty (default empty string). |
--project-name |
Project name on the Tableau site to publish into. Defaults to 'default' (auto-created on every site). |
--pat-name-env |
Name of the env var holding the PAT name. The CLI reads from this env var (never accepts the PAT name or secret as a flag value). |
--pat-secret-env |
Name of the env var holding the PAT secret. |
--risks |
Optional path to a JSON list of RiskStatement objects to publish as the 'evidentia-risks' dataset. |
--no-overwrite |
If set, publish in CreateNew mode and fail if the datasets already exist. Default is Overwrite (re-running the publish updates the existing data sources). |
Model Context Protocol (MCP) server (v0.8.0 P0.3). Exposes gap analysis, control lookup, and gap diff to MCP-aware AI clients.
Migrate a CIMD registry to grant the v0.9.6 conmon_* MCP tools.
| Flag / argument | Description |
|---|---|
REGISTRY_FILE |
— |
--client-id |
When set, apply the migration only to this client. Default: apply to every client in the registry. |
--tools |
Space-separated tool names to add (overrides the default v0.9.6 tool set). Use to migrate other future tool additions: --tools 'tool_a tool_b'. |
--dry-run |
Print the diff without writing. Use to preview the changes before committing. |
Validate the MCP server is ready to launch.
Run the MCP server (blocks until the client disconnects).
| Flag / argument | Description |
|---|---|
--transport, -t |
Transport selection. stdio (default) is the canonical MCP transport — used by Claude Desktop, Claude Code, etc. sse (server-sent events) and http (streamable-http) are the non-local transports for browser-based agents and remote MCP clients (v0.8.1 P3.1). |
--host |
Bind address for HTTP / SSE transports. Default 127.0.0.1 (loopback only). Use 0.0.0.0 to bind all interfaces — REQUIRES a reverse-proxy auth layer; the MCP server doesn't gate file-path tool inputs against an allow-root in v0.8.1. |
--port, -p |
Bind port for HTTP / SSE transports. Default 8765 (arbitrary unprivileged port; chosen to avoid collisions with evidentia serve's default 8000). |
--stdio, --no-stdio |
v0.8.0 backward-compat flag. --no-stdio errors out with a hint to use --transport instead. Will be removed in v1.0. |
--allow-root |
Bound directory for file-path tool inputs (v0.8.2 F-V81-S1). When set, gap_analyze + gap_diff validate their path inputs against this root via evidentia_core.security.paths.validate_within — out-of-root paths surface as PathTraversalError (MCP tool error, not server crash). Strongly RECOMMENDED for non-loopback HTTP / SSE deployments. When unset, file-path tools accept any path the server's UID can read (preserves v0.8.1 behavior; appropriate for stdio + loopback HTTP/SSE). |
--cimd-registry |
v0.8.5 P4: path to a CIMD (Client ID Metadata Document) registry JSON file. When set, the server loads + attaches the registry; per-client scope-gating logic (v0.8.6 P1) consults it via server.evidentia_cimd. Pair with --default-client-id for stdio. Optional. See evidentia_mcp.cimd for the file format. |
--default-client-id |
v0.8.6 P1: fallback client_id when the MCP request meta does not carry one. On stdio (canonical case), the wire protocol does NOT pass a per-request client_id, so this flag IS the client_id for the entire stdio session — set it to a slug registered in the CIMD registry to enable per-tool scope enforcement. On HTTP/SSE, the flag is a fallback when the MCP client did not set _meta.client_id. Documented as INFORMATIONAL (audit-trail granularity), NOT a security boundary on stdio. See evidentia_mcp.scope for the threat model. |
Model Risk Management — SR 11-7 / SR 26-02 model inventory (v0.7.10 P0.6).
Model documentation generators (SR 11-7 §III.A).
Generate SR 11-7-aligned model documentation in Markdown.
| Flag / argument | Description |
|---|---|
MODEL_ID |
— |
--output, -o |
Output path. If omitted, prints to stdout. The file is written atomically and never overwrites an existing path unless --force is set. |
--force |
Overwrite the output path if it already exists. |
Model inventory commands.
Add a new model to the inventory.
| Flag / argument | Description |
|---|---|
--name, -n |
Model name. |
--purpose |
Business purpose per SR 11-7 §III.A 'Conceptual Soundness'. |
--methodology, -m |
Model methodology. One of: statistical, ml, rules_based, llm, expert_judgment, hybrid. |
--vendor-or-internal |
Provenance. One of: internal, vendor. |
--vendor-id |
Required for vendor provenance: cross-link to TPRM Vendor.id. MUST be omitted for internal provenance. |
--tier, -T |
SR 11-7 criticality tier. One of: tier_1, tier_2, tier_3. Tier 1 = annual validation; Tier 2 = biennial; Tier 3 = triennial. |
--owner, -O |
Internal model owner (email or LDAP identifier). |
--last-validation-date |
Date of most recent validation (YYYY-MM-DD). |
--next-validation-due |
Override the auto-computed next-validation-due date (YYYY-MM-DD). When omitted, value is auto-computed from tier + last_validation_date. |
--retirement-plan |
Per SR 11-7 §III.C ongoing-monitoring expectations: documented retirement / replacement plan. |
--notes |
Free-text model notes. |
--from-yaml |
Load model from a YAML file. Use this for complex adds with nested fields (inputs / outputs / validation-findings / evidence-refs). Mutually exclusive with atomic-field flags except where the YAML has a missing field that a flag overrides. |
Delete a model record by ID.
| Flag / argument | Description |
|---|---|
MODEL_ID |
— |
--yes, -y |
Skip the confirmation prompt. |
Edit a model record.
| Flag / argument | Description |
|---|---|
MODEL_ID |
— |
--name |
— |
--purpose |
— |
--methodology |
— |
--tier |
— |
--owner |
— |
--last-validation-date |
YYYY-MM-DD |
--next-validation-due |
YYYY-MM-DD. Override the auto-computed value; otherwise auto-recomputed when --last-validation-date is updated. |
--retirement-plan |
— |
--notes |
— |
--from-yaml |
Replace the model record from a YAML file (full replace; preserves the original ID + created_at). |
--editor |
Open the current model record in $EDITOR as YAML; save the edited file to persist. Aborts on empty editor output. |
List models in the inventory, sorted by tier then name.
| Flag / argument | Description |
|---|---|
--tier, -T |
Filter by tier (tier_1 / tier_2 / tier_3). |
--methodology, -m |
Filter by methodology. |
--json |
Emit JSON array instead of a rich table. |
Show a single model record.
| Flag / argument | Description |
|---|---|
MODEL_ID |
— |
--json |
Emit JSON instead of formatted output. |
Validation report generators (SR 11-7 §III.D).
Generate SR 11-7-aligned validation cycle report in Markdown.
| Flag / argument | Description |
|---|---|
MODEL_ID |
— |
--output, -o |
Output path. If omitted, prints to stdout. The file is written atomically and never overwrites an existing path unless --force is set. |
--force |
Overwrite the output path if it already exists. |
OSCAL integrity + signature tooling (v0.7.0).
Verify digests + optional GPG and/or Sigstore signatures of an OSCAL AR document.
| Flag / argument | Description |
|---|---|
PATH |
— |
--require-signature |
Fail verification if no detached GPG signature is found next to the AR file. Default behaviour is opportunistic — verify the sig if present, pass on digests alone if absent. |
--signature |
Custom signature file path. Defaults to .asc next to the AR file. |
--gnupghome |
Override GNUPGHOME for signature verification. Useful when verifying against a specific keyring rather than the operator's default ~/.gnupg. |
--check-sigstore, --no-check-sigstore |
Verify a Sigstore bundle (.sigstore.json) if present. Default True. Use --no-check-sigstore to skip Sigstore checks entirely (e.g., for air-gap-only verification). |
--sigstore-bundle |
Custom Sigstore bundle path. Defaults to .sigstore.json next to the AR file. |
--expected-identity |
Expected Sigstore signer identity (email or OIDC subject). When omitted along with --expected-issuer, the verifier accepts ANY signer (UnsafeNoOp policy) and emits a warning. Both-or-neither with --expected-issuer (cosign model); supplying exactly one fails verification. Production audit pipelines should always set both. |
--expected-issuer |
Expected Sigstore identity issuer URL (e.g., 'https://token.actions.githubusercontent.com' for GitHub Actions OIDC). Both-or-neither with --expected-identity (cosign model). |
--json |
Emit the verification report as machine-readable JSON to stdout. Exit code reflects overall pass/fail regardless of output mode. |
Plan-of-Action-and-Milestones — federal-compliance remediation tracking (v0.9.0 P2).
Show overdue + due-soon milestones across all POA&Ms.
| Flag / argument | Description |
|---|---|
--window-days |
How many days ahead to look for 'due soon' milestones. Default: 7 days. Overdue milestones are always included regardless of this window. |
--today |
Override 'today' for deterministic CLI snapshots (YYYY-MM-DD). Useful for CI assertions; production operators omit this flag. |
--json |
Emit machine-readable JSON instead of a rich table. |
Auto-generate POA&M items from a gap-analysis report.
| Flag / argument | Description |
|---|---|
--from-gap-report |
Path to a JSON-serialized GapAnalysisReport (from evidentia gap analyze --output report.json or the saved gap_store). Each contained gap becomes one POA&M item, subject to the severity filter below. |
--all |
Materialize ALL gaps as POA&M items. Without this flag, only CRITICAL + HIGH gaps are materialized (the auditor-expected default per FedRAMP POA&M guidance: open POA&M items for material findings; document non-material gaps elsewhere). |
--overwrite |
Re-materialize POA&M items even if one already exists with the same ID (gap.id). Without this flag, existing POA&Ms are skipped to preserve milestone history. |
Remove a POA&M item from the store.
| Flag / argument | Description |
|---|---|
POAM_ID |
— |
--yes, -y |
Skip the interactive confirmation prompt. |
List POA&M items in the store.
| Flag / argument | Description |
|---|---|
--all |
Include POA&Ms whose underlying gap is REMEDIATED or ACCEPTED. Default shows only OPEN / IN_PROGRESS gaps. |
--severity |
Filter by gap severity. Comma-separated; choices: critical, high, medium, low, informational. |
--owner |
v0.9.5 P3.1: filter to POA&M items where at least one milestone's owner matches (exact-equality). Combine with --severity for owner-scoped triage views. |
--reviewer |
v0.9.5 P3.1: filter to POA&M items where at least one milestone's reviewer matches (exact-equality). |
--json |
Emit machine-readable JSON instead of a rich table. |
Milestone sub-commands.
Add a new milestone to an existing POA&M.
| Flag / argument | Description |
|---|---|
POAM_ID |
— |
--target-date |
ISO-8601 target completion date (YYYY-MM-DD). |
--description, -d |
Human-readable milestone description. |
--status |
Initial status. Default: planned. Valid: ['planned', 'in_progress', 'overdue', 'completed', 'verified']. |
--evidence-ref |
Optional reference to the evidence artifact (URL/URI/Sigstore bundle path/Jira key/etc.). |
Update an existing milestone. Backward state transitions blocked.
| Flag / argument | Description |
|---|---|
POAM_ID |
— |
MILESTONE_ID |
— |
--status |
Set the milestone status. Backward transitions blocked by the state machine (auditor-defensible monotonic progress). Valid: ['planned', 'in_progress', 'overdue', 'completed', 'verified']. |
--target-date |
Replace the target completion date (YYYY-MM-DD). |
--description, -d |
Replace the milestone description. |
--evidence-ref |
Set or replace the evidence reference. |
Show a single POA&M item in detail.
| Flag / argument | Description |
|---|---|
POAM_ID |
— |
--json |
Emit machine-readable JSON instead of human form. |
Edit a POA&M item's top-level fields.
| Flag / argument | Description |
|---|---|
POAM_ID |
— |
--status |
Set the gap-level status (open / in_progress / remediated / accepted / not_applicable). Forward-only for some transitions per the gap-store state machine. |
--assigned-to |
Set or clear the assigned-owner email/LDAP. |
--remediation-guidance |
Replace the remediation_guidance text. |
--add-tag |
Append a tag to the POA&M's tags list (deduplicated). |
--remove-tag |
Remove a tag from the POA&M's tags list. |
Audit chain-of-custody — retention metadata + WORM (v0.7.11 P0).
Delete a retention metadata record.
| Flag / argument | Description |
|---|---|
RETENTION_ID |
— |
--yes |
Skip confirmation prompt. |
Extend a record's lock-until date.
| Flag / argument | Description |
|---|---|
RETENTION_ID |
— |
--new-lock-until |
ISO-8601 date the new lock-until should be (YYYY-MM-DD). |
List retention records.
| Flag / argument | Description |
|---|---|
--classification |
Filter by classification. |
--lifecycle |
Filter by lifecycle stage: active / preserved / expired / purged. |
--json |
Emit machine-readable JSON array. |
Generate a Markdown retention-posture audit report.
| Flag / argument | Description |
|---|---|
--output, -o |
Output path. If omitted, prints to stdout. |
--force |
Overwrite the output path if it exists. |
Add a new retention metadata record.
| Flag / argument | Description |
|---|---|
--classification |
Retention classification: sec-17a-4 / finra-3110 / irs-tax / sox-404 / hipaa / glba / pci-dss / model-risk / gdpr / generic. |
--retention-period-days |
Retention period in calendar days. Defaults to the regulator-stated minimum for the classification. |
--record-pointer |
Pointer to the underlying record (file/S3/Azure URL). |
--legal-hold |
Mark this record as under legal hold from the start. |
--policy-name |
Optional cross-reference to a RetentionPolicy. |
--notes |
Free-text operator notes. |
Show a retention record's full details.
| Flag / argument | Description |
|---|---|
RETENTION_ID |
— |
--json |
Emit machine-readable JSON. |
Transition a record's lifecycle stage.
| Flag / argument | Description |
|---|---|
RETENTION_ID |
— |
--new-stage |
Target lifecycle stage: active / preserved / expired / purged. |
AI risk statement commands.
Generate NIST SP 800-30 risk statements for gaps using an LLM.
| Flag / argument | Description |
|---|---|
--context, -c |
Path to system context YAML file. |
--gaps, -g |
Path to a gap report JSON (from evidentia gap analyze). |
--gap-id |
Generate a risk statement for a single gap by ID. |
--model, -m |
LLM model name (e.g. 'gpt-4o', 'claude-sonnet-4', 'ollama/llama3.3'). |
--output, -o |
Output file path for generated risks. |
--limit, -n |
Maximum number of gaps to process. |
--emit-trace |
v0.8.0 P0.2: attach a Policy Reasoning Trace (PRT) per arXiv 2509.23291 to each generated risk statement. v0.8.0 ships a single-claim stub trace; v0.8.1 ships the substantive LLM-driven per-claim decomposition. Trace data flows through OSCAL emit + Sigstore signing today regardless of whether it's stub or LLM-driven. |
Compute dollarized risk quantification per the chosen method.
| Flag / argument | Description |
|---|---|
--method |
Quantification method: 'open-fair' (deterministic PERT-mean) or 'fair-mc' (Monte Carlo simulation, v0.7.12+). |
--scenarios, -s |
Path to a YAML or JSON file listing FAIR scenarios. |
--output, -o |
Output path. If omitted, prints the Markdown report to stdout. |
--force |
Overwrite the output path if it already exists. |
--iterations |
Monte Carlo iteration count (only with --method fair-mc). Default 10,000 (FAIR-U recommended convergence point). |
--seed |
Random seed for deterministic Monte Carlo runs (only with --method fair-mc). Pass an explicit int for golden-file tests + reproducible audit-trail outputs. |
--csv |
Path to write per-iteration ALE samples as CSV (only with --method fair-mc). Useful for downstream analysis in pandas or Excel. |
Start the Evidentia web UI (REST API + React SPA).
| Flag / argument | Description |
|---|---|
--host |
Host to bind the web UI to. Default 127.0.0.1 (localhost-only). Binding to 0.0.0.0 exposes the UI on your network; Evidentia has no auth in v0.4.0, so only do this if you know what you're doing. |
--port, -p |
Port to serve on (default: 8000). |
--dev |
Dev mode: permissive CORS for the Vite dev server at :5173. Use with npm run dev in packages/evidentia-ui/. |
--no-browser |
Don't auto-open a browser on startup. |
--reload |
Enable uvicorn --reload for backend development. |
--security-headers, --no-security-headers |
Inject defense-in-depth response headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Strict-Transport-Security, Permissions-Policy) on every response. Default: auto — enabled when --host is non-loopback (operator opted into network exposure); disabled for localhost-bound dev binds. Pass --security-headers to force ON; --no-security-headers to force OFF (e.g., when a TLS-terminating reverse proxy already injects these headers and you don't want duplicates). |
--auth-token-file |
v0.8.1 P3.3: path to a file containing the bearer token for the LocalTokenAuthProvider. When set, every /api/* route requires Authorization: Bearer <token> from the file. Liveness probes (/api/health, /api/version, /api/openapi.json, /api/docs, /api/redoc) bypass auth for Kubernetes / load-balancer readiness checks. When omitted (default), no auth gating fires — preserves v0.8.0 backward compat for localhost-only deployments. |
Third-Party Risk Management — vendor inventory + DD (v0.7.9 P0.1).
Concentration-risk report across the vendor inventory.
| Flag / argument | Description |
|---|---|
--by |
Comma-separated dimensions to aggregate by. Choices: 4th-party, cloud-provider, criticality-tier, region, regulatory-classification, service-category. |
--threshold |
Concentration percentage (0.0-100.0). Per-value rows whose vendor share meets-or-exceeds this get flagged in the output. Omit for unflagged distribution view. |
--format, -f |
Output format: html / json / csv. |
--output, -o |
Write to file path. If omitted: html dumps to stdout (use shell redirect); json + csv print to stdout. |
Due-diligence questionnaire commands.
Generate a due-diligence questionnaire pre-filled with vendor metadata.
| Flag / argument | Description |
|---|---|
--vendor-id |
Vendor ID (UUID) to generate the questionnaire for. |
--format |
Questionnaire framework. Choices: caiq-full, caiq-lite, evidentia-generic (packaged content). Also accepts 'sig' / 'sig-lite' when supplied with --from-template (BYO XLSX path; v0.7.9 P0.2 second slice). |
--output-format |
Output format: json / csv / xlsx. xlsx requires the [xlsx] extra (pip install 'evidentia-core[xlsx]'). |
--output, -o |
Write to file path. If omitted, writes to stdout — useful for pipe / shell-redirect patterns. Required for xlsx + for --from-template (binary outputs). |
--from-template |
Path to a Shared Assessments licensed SIG / SIG-Lite XLSX template. Required for --format sig / sig-lite. Evidentia pre-fills vendor metadata into the standard cells; the template's question content stays untouched (license compliance). v0.7.9 P0.2 second slice. |
Ingest a completed vendor questionnaire back into Evidentia.
| Flag / argument | Description |
|---|---|
--questionnaire |
Path to the completed questionnaire file. Auto-detects format from extension: .json / .csv / .xlsx. |
--vendor-id |
Optional vendor ID override. By default the ingest auto-correlates via the questionnaire's embedded vendor_id; pass this when correlation is missing or the operator wants to record the response against a different vendor record. |
--output-format |
Output format: table (default) / json. |
Vendor inventory commands.
Add a new vendor to the inventory.
| Flag / argument | Description |
|---|---|
--name, -n |
Vendor legal name. |
--type, -t |
Vendor type. One of: saas, subservice_org, contractor, data_processor, cloud_provider, open_source. |
--criticality-tier, -c |
FFIEC criticality tier. One of: critical, high, medium, low. |
--owner, -O |
Internal relationship owner (email or LDAP identifier). |
--contract-start-date |
Contract effective date (YYYY-MM-DD). |
--contract-end-date |
Contract end date (YYYY-MM-DD); omit for indefinite. |
--last-due-diligence-review |
Date of most recent completed DD review (YYYY-MM-DD). |
--next-review-due |
Override the auto-computed next-review-due date (YYYY-MM-DD). When omitted, the value is auto-computed from criticality_tier + last_due_diligence_review. |
--region |
Free-text geo / cloud-region label (max 128 chars). Used by concentration-report --by region. |
--regulatory-classification |
Comma-separated list. Choices: custody, clearing, model, data_processor, critical_third_party. |
--residual-risk-score, -r |
Residual risk score (1-25; 0 = unscored). |
--notes |
Free-text vendor notes. |
--from-yaml |
Load vendor from a YAML file. Use this for complex adds with 4th-parties + evidence-refs. Mutually exclusive with atomic-field flags except where the YAML has a missing field that a flag overrides. |
Delete a vendor from the inventory.
| Flag / argument | Description |
|---|---|
VENDOR_ID |
— |
--yes, -y |
Skip the confirmation prompt. |
Edit a vendor record.
| Flag / argument | Description |
|---|---|
VENDOR_ID |
— |
--name |
— |
--type |
— |
--criticality-tier |
— |
--owner |
— |
--contract-end-date |
YYYY-MM-DD |
--last-due-diligence-review |
YYYY-MM-DD |
--next-review-due |
YYYY-MM-DD. Override the auto-computed next-review-due date; otherwise auto-recomputed when --last-due-diligence-review is updated. |
--region |
Free-text geo / cloud-region label (max 128 chars). Used by concentration-report --by region. |
--regulatory-classification |
Comma-separated; replaces existing list. |
--residual-risk-score |
— |
--notes |
— |
--from-yaml |
Replace the vendor record from a YAML file (full replace; preserves the original ID + created_at). |
--editor |
Open the current vendor record in $EDITOR as YAML; save the edited file to persist. Aborts on empty editor output. |
List vendors in the inventory, sorted by criticality then name.
| Flag / argument | Description |
|---|---|
--criticality-tier, -c |
Filter by criticality tier (critical/high/medium/low). |
--type, -t |
Filter by vendor type. |
--json |
Emit JSON array instead of a rich table. |
Show a single vendor's full details.
| Flag / argument | Description |
|---|---|
VENDOR_ID |
— |
--json |
Emit raw JSON instead of human-readable view. |
Show Evidentia version and Python environment information.
-
- AI Governance
- Air Gapped Install
- Ci Integration
- CONMON Deployment
- Emit Cyclonedx VEX
- Emit OCSF Detection
- Emit SARIF
- Explain Controls
- Generate And Quantify Risk
- Governance Metrics And Workflows
- Ingest OCSF
- Manage Model Risk
- Manage POAM
- Manage Third Party Risk
- MCP Client Setup
- OSPS Self Assessment
- Run Gap Analysis
- Serve The Web Ui
- Sign And Verify Evidence