-
Notifications
You must be signed in to change notification settings - Fork 1
Quickstart
This guide gets you from a fresh install to a real OSCAL Assessment Results document.
- Python 3.12+ (
python --versionto check) - No prior setup — this quickstart uses
evidentia initto scaffold a starter control inventory, so you can run end-to-end from a fresh install
pip install evidentiaVerify:
evidentia version
# → Evidentia v0.10.9 / Python 3.12.xevidentia catalog list --tier=AYou'll see ~48 Tier-A (production-grade, verbatim-licensed) frameworks. For this quickstart, we'll use NIST 800-53 Rev 5 Low baseline (~149 controls — small enough to inspect by hand).
evidentia gap analyze is inventory-driven: you give it a file describing the
controls your organization has (--inventory) and the frameworks to measure
against (--frameworks). Scaffold a starter inventory — this writes
evidentia.yaml, my-controls.yaml, and system-context.yaml into the current
directory:
evidentia init --preset nist-moderate-starterThen run the analysis against the Low baseline (--inventory, --frameworks,
and --output are the three flags you need):
evidentia gap analyze \
--inventory=my-controls.yaml \
--frameworks=nist-800-53-rev5-low \
--output=gap-report.jsonEvidentia prints a summary table to the console and writes the full report to
gap-report.json:
Gap Analysis Summary
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┓
┃ Metric ┃ Value ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━┩
│ Total controls required │ 149 │
│ Total gaps │ 112 │
│ Critical │ 6 │
│ High │ 24 │
│ Medium │ 58 │
│ Low │ 24 │
│ Coverage │ 24.8% │
│ Efficiency opportunities │ 3 │
└────────────────────────────┴───────────┘
(Counts are illustrative — the starter inventory is intentionally small, so most
Low-baseline controls show up as gaps. Edit my-controls.yaml with your real
controls to see your true posture.)
evidentia gap analyze \
--inventory=my-controls.yaml \
--frameworks=nist-800-53-rev5-low \
--format=oscal-ar \
--output=assessment-results.jsonThis produces a NIST OSCAL Assessment Results 1.2.1 document. Validate with:
pip install compliance-trestle
trestle validate --type oscal-ar --file assessment-results.json
# → PASSThe wheel you installed has a PEP 740 attestation:
pip install pypi-attestations
pypi-attestations verify pypi \
--repository https://github.com/Polycentric-Labs/evidentia \
"pypi:evidentia-0.10.9-py3-none-any.whl"
# → OK: evidentia-0.10.9-py3-none-any.whlThe container image is cosign-signed (if you used the Docker install path):
cosign verify ghcr.io/polycentric-labs/evidentia:v0.10.9 \
--certificate-identity-regexp 'https://github\.com/Polycentric-Labs/evidentia/\.github/workflows/release\.yml@refs/tags/v.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
# → "The cosign claims were validated"Full verification recipes: see docs/verification.md.
-
Run against your own controls: point
--inventoryat your real control inventory (YAML/CSV/JSON). To fold in collected evidence, run a collector (see first-collection.md) and pass--findingswith--format oscal-ar. - Wire to a CI gate: emit SARIF for GitHub Code Scanning (guide).
- Drive from an AI agent: enable the MCP server (guide).
- Add a custom framework: write your own catalog YAML (guide).
- Common issues + fixes:
6-project/faq.md - Open a discussion: github.com/Polycentric-Labs/evidentia/discussions
- Report a bug: github.com/Polycentric-Labs/evidentia/issues/new
-
- AI Governance
- Air Gapped Install
- Ci Integration
- CONMON Deployment
- Emit Cyclonedx VEX
- Emit OCSF Detection
- Emit SARIF
- Explain Controls
- Generate And Quantify Risk
- Governance Metrics And Workflows
- Ingest OCSF
- Manage Model Risk
- Manage POAM
- Manage Third Party Risk
- MCP Client Setup
- OSPS Self Assessment
- Run Gap Analysis
- Serve The Web Ui
- Sign And Verify Evidence