-
Notifications
You must be signed in to change notification settings - Fork 1
Framework Conformance
There are two different "conformance" questions about Evidentia, and they are easy to confuse:
- Which frameworks does Evidentia ship catalogs for? — that is the Catalog inventory (92 catalogs Evidentia helps you assess against).
- Which standards does Evidentia itself conform to, as a software project? — that is this page.
This page covers the second question. Everything below is a self-assessment: Evidentia has not undergone a third-party audit. Where a claim is independently checkable (a public badge, a CI gate), the link is provided so you can verify it yourself.
Evidentia publishes a per-control conformance attestation against the
OpenSSF Open Source Project Security Baseline v2026.02.19 at
OSPS-CONFORMANCE.md
(repo root).
The attested claim is Maturity 2, with partial Maturity 3. As of the 2026-05-27 walk:
| Maturity | PASS / Total | Conformance |
|---|---|---|
| Maturity 1 | 24 / 24 | 100% |
| Maturity 2 | 39 / 41 | 95% |
| Maturity 3 | 55 / 62 | 89% |
The walk covers 64 active assessment-requirements across 41
top-level controls (1 requirement, OSPS-BR-01.02, is Retired
upstream and excluded). The aggregate verdict is 57 PASS / 7
HONEST_GAP / 0 FAIL — zero FAIL verdicts; every non-PASS is
documented as an HONEST_GAP with a concrete resolution path.
Four of the seven gaps are structurally unreachable for a
single-maintainer project — they require ≥2 unassociated contributors
(two-person review, formal permission-grant review, etc.) and are tied
to the SOC 2 Type I segregation-of-duties milestone in
v1.0-transition.md.
The other three (CI/CD least-privilege audit, VEX emission, an
osv-scanner PR-blocking gate) have scoped resolution paths on the
v0.10.7 / v0.11.x roadmap. The full gap table is in the conformance
document itself.
A GitHub Actions gate,
verify-osps-conformance.yml,
re-validates every claimed-PASS evidence link in the conformance
document on every push to main, on every pull request, and on a weekly
cron. Each evidence link is translated to its GitHub REST API endpoint
and probed for HTTP 200; any 404 fails the workflow. So the attestation
cannot silently rot as the codebase evolves — a renamed or deleted
evidence file breaks CI.
For the full walkthrough of the OSPS Baseline catalogs, crosswalks, and the 16 GitHub conformance-check collector helpers, see the OSPS Baseline mapping showcase page. To fork this self-attestation pattern for your own project, see Guides → OSPS self-assessment.
First-mover note. At the time of publication (2026-05-27), a
gh api search/code "filename:OSPS-CONFORMANCE.md"query returnedtotal_count: 0. Evidentia is, to its knowledge, the first public open-source project to ship a machine-readable per-control OSPS Baseline conformance attestation paired with a re-validating CI gate.
Evidentia holds the OpenSSF Best Practices Badge at the Silver tier (project #12724). The badge is rendered live in the README; click it to see the per-criterion answers.
Gold is structurally blocked, and the project says so plainly. The Gold tier requires "at least two unassociated significant contributors" and a "bus factor of 2 or more" — both absolute MUSTs at bestpractices.dev with no exception path. Evidentia is a single-maintainer project, so Gold is acknowledged as unreachable until the contributor threshold is met; the roadmap ties that to the same organizational milestone as the SOC 2 Type I program rather than promising a date.
Evidentia runs the OpenSSF Scorecard weekly (and on push to main)
via scorecard.yml,
publishing to scorecard.dev.
It surfaces ~20 supply-chain checks (Pinned-Dependencies,
Branch-Protection, Code-Review, SBOM, Signed-Releases, etc.). The score
is a live, third-party-computed signal — the badge in the README links
to the current viewer.
Evidentia's release pipeline produces, on every tagged release, a set of positive supply-chain attestations that map cleanly onto procurement frameworks:
| Attestation | Standard alignment |
|---|---|
| PEP 740 attestations on every wheel + sdist | Sigstore-signed, Rekor-logged |
| Sigstore / cosign SLSA Provenance v1 on the container | SLSA Build L3 |
| CycloneDX 1.6 SBOM attached to each GitHub Release | NIST SP 800-218 PS.3 / SR controls |
| OpenSSF Scorecard 6.5+ | Supply-chain hygiene baseline |
Consumer-side recipes to verify each of these yourself are in
Project → Verification. Per the project's
standing posture, Evidentia has not mapped these into a vendor
questionnaire on this public page beyond the alignment column above;
positioning-and-value.md
§10.4 carries the procurement-ready framing.
To keep this page honest:
-
No third-party audit. The OSPS Baseline conformance is a
self-assessment. A SOC 2 Type I examination for the maintaining entity
is referenced as in progress in
v1.0-transition.mdwith no committed delivery date — it is not a current attestation. - No NIST 800-53 "compliant" claim. Evidentia ships NIST 800-53 catalogs and maps its own release pipeline to specific SSDF / 800-53 controls in its per-release security reviews, but it does not claim a formal 800-53 authorization or ATO.
- No OpenSSF Gold. Blocked by the two-contributor MUST (above).
-
OSPS-CONFORMANCE.md— the full per-control self-attestation (repo root). - OSPS Baseline mapping — the catalogs, crosswalks, and conformance-check collectors behind the claim.
- Guides → OSPS self-assessment — how to fork the pattern.
- Project → Verification — verify the supply-chain attestations yourself.
- Project → Security — vulnerability disclosure + signing policy.
-
- AI Governance
- Air Gapped Install
- Ci Integration
- CONMON Deployment
- Emit Cyclonedx VEX
- Emit OCSF Detection
- Emit SARIF
- Explain Controls
- Generate And Quantify Risk
- Governance Metrics And Workflows
- Ingest OCSF
- Manage Model Risk
- Manage POAM
- Manage Third Party Risk
- MCP Client Setup
- OSPS Self Assessment
- Run Gap Analysis
- Serve The Web Ui
- Sign And Verify Evidence