-
Notifications
You must be signed in to change notification settings - Fork 1
Quickstart
evidentia-wiki-sync[bot] edited this page May 27, 2026
·
7 revisions
This guide gets you from a fresh install to a real OSCAL Assessment Results document.
- Python 3.12+ (
python --versionto check) - A directory of evidence files — for this quickstart, we'll use Evidentia's bundled test fixtures so you can run end-to-end with zero setup
pip install evidentiaVerify:
evidentia version
# → Evidentia v0.10.6 / Python 3.12.xevidentia catalog list --maturity=tier-aYou'll see ~30 Tier-A (production-grade, verbatim-licensed) frameworks. For this quickstart, we'll use NIST 800-53 Rev 5 Low baseline (~149 controls — small enough to inspect by hand).
Using Evidentia's bundled test fixtures:
evidentia gap analyze \
--framework=nist-800-53-rev5-low \
--evidence-dir=$(python -c "import evidentia; print(evidentia.__path__[0] + '/test_fixtures/evidence/')")Output:
Gap analysis complete: nist-800-53-rev5-low
✓ Implemented: 87 controls
⚠ Partial: 21 controls
✗ Gaps: 41 controls
⊘ Not applicable: 0 controls
Faithfulness score: 0.87 (threshold 0.30; framework-aware)
Output: 3,536 lines of finding detail
evidentia gap analyze \
--framework=nist-800-53-rev5-low \
--evidence-dir=$(python -c "import evidentia; print(evidentia.__path__[0] + '/test_fixtures/evidence/')") \
--format=oscal > my-assessment-results.jsonThis produces a NIST OSCAL Assessment Results 1.2.1 document. Validate with:
pip install compliance-trestle
trestle validate --type oscal-ar --file my-assessment-results.json
# → PASSThe wheel you installed has a PEP 740 attestation:
pip install pypi-attestations
pypi-attestations verify pypi \
--repository https://github.com/Polycentric-Labs/evidentia \
"pypi:evidentia-0.10.6-py3-none-any.whl"
# → OK: evidentia-0.10.6-py3-none-any.whlThe container image is cosign-signed (if you used the Docker install path):
cosign verify ghcr.io/polycentric-labs/evidentia:v0.10.6 \
--certificate-identity-regexp 'https://github\.com/Polycentric-Labs/evidentia/\.github/workflows/release\.yml@refs/tags/v.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
# → "The cosign claims were validated"Full verification recipes: see docs/verification.md.
-
Run against your own evidence: point
--evidence-dirat your real evidence directory (see first-collection.md for the collector setup). - Wire to a CI gate: emit SARIF for GitHub Code Scanning (guide).
- Drive from an AI agent: enable the MCP server (guide).
- Add a custom framework: write your own catalog YAML (guide).
- Common issues + fixes:
6-project/faq.md - Open a discussion: github.com/Polycentric-Labs/evidentia/discussions
- Report a bug: github.com/Polycentric-Labs/evidentia/issues/new
-
- AI Governance
- Air Gapped Install
- Ci Integration
- CONMON Deployment
- Emit Cyclonedx VEX
- Emit OCSF Detection
- Emit SARIF
- Explain Controls
- Generate And Quantify Risk
- Governance Metrics And Workflows
- Ingest OCSF
- Manage Model Risk
- Manage POAM
- Manage Third Party Risk
- MCP Client Setup
- OSPS Self Assessment
- Run Gap Analysis
- Serve The Web Ui
- Sign And Verify Evidence