Guides

2. Guides

Task-oriented how-tos. Each page solves a specific operational need.

Pages in this section

• Run gap analysis — full CLI walkthrough: catalog selection, evidence-dir conventions, output formats, framework crosswalks, partial-coverage handling, faithfulness threshold.

• Ingest OCSF — ingest OCSF Detection Finding output from Prowler / AWS Security Hub / etc.; the --block-private-ips SSRF mitigation; the v0.10.1 trust-unmapped contract.

• Emit SARIF — SARIF 2.1.0 output for CI gates; GitHub Code Scanning ingestion; severity mapping rationale.

• Emit OCSF Detection — OCSF Detection Finding class_uid 2004 emit; SIEM ingestion; sample queries.

• Emit CycloneDX VEX — CycloneDX 1.6 VEX statements; supply-chain composition with the release-time SBOM via standard CycloneDX merge.

• Manage POA&M — POA&M data model + 5-state lifecycle; CLI verbs; OSCAL POA&M emit; integration patterns (Jira, ServiceNow, etc.).

• Generate and quantify risk — qualitative NIST SP 800-30 risk statements (LLM-backed) + deterministic FAIR / Monte-Carlo quantification (risk generate / risk quantify).

• Explain a control — stream a plain-English explanation of any control (what it means, why it matters, what to do) in the web console; LLM-backed with on-disk caching (explain).

• Manage third-party risk — vendor inventory, concentration-risk reporting, and CAIQ / SIG due-diligence questionnaires (tprm), plus the in-browser TPRM screen for browsing, filtering, and adding vendors.

• Manage model risk — SR 11-7 / OCC 2026-13a model inventory, model documentation, and validation reports (model-risk).

• Governance metrics and workflows — KRI / KPI / KGI metrics, Effective Challenge, Three-Lines reporting, and process-as-code workflows (governance).

• AI governance — EU AI Act risk-tier classification + NIST AI RMF system inventory, FIPS-199 + OMB impact leveling (ai-gov).

• CONMON deployment — CONMON cadence library + CLI; 7 bundled federal cadences; daemon vs read-only deployment patterns.

• Sign and verify evidence — signing + verifying evidence and MCP tool output (SignedToolOutput Sigstore keyless) and OSCAL documents (GPG detached); the verification recipe; the append-only / WORM evidence store. (CIMD is the separate OAuth client-scope mechanism, not a signing primitive.)

• Air-gapped install — wheelhouse pattern + offline catalog updates; GPG-only fallback for environments without Sigstore reach.

• CI integration — GitHub Actions sample workflow (gap analysis on PR + SARIF upload); GitLab CI sample; Jenkins sample.

• OSPS self-assessment — walk through OSPS-CONFORMANCE.md + the verify-osps-conformance.yml CI gate; how to fork the pattern for your own project.

• MCP client setup — run the Evidentia MCP server and wire its 13 tools into Claude Desktop / Claude Code / Cursor (mcp).

• Serve the web UI — launch the local browser UI for gap analysis + the 8-format gap-export control (evidentia serve).

How to use this section

Jump directly to the page that solves your problem. Each guide is self-contained; cross-references to Concepts point at the "why" if you need depth.

All nineteen guide pages above are live. New guides land here as new operational surfaces ship; see the ROADMAP for the forward cadence.