evidentia

Miradi inayofuata mazoea bora hapa chini inaweza kujihakikisha kwa hiari na kuonyesha kuwa wamepata nishani ya mazoea bora ya Open Source Security Foundation (OpenSSF).

Hakuna seti ya mazoea yawezayo kuhakikisha kuwa programu haitakuwa na kasoro au udhaifu; hata mbinu rasmi zinaweza kushindwa ikiwa vipimo au dhana ni sahihi. Wala hakuna seti ya mazoea yawezayo kuhakikisha kuwa mradi utaendelea kuwa na jamii ya maendeleo yenye afya na inayofanya kazi vizuri. Hata hivyo, kufuata mazoea bora kunaweza kusaidia kuboresha matokeo ya miradi. Kwa mfano, baadhi ya mazoea huwezesha ukaguzi wa watu wengi kabla ya kutolewa, ambayo inaweza kusaidia kupata udhaifu wa kiufundi ambao vinginevyo ni vigumu kupata na kusaidia kujenga uaminifu na hamu ya mwingiliano wa kurudia kati ya wasanidi programu kutoka makampuni tofauti. Ili kupata nishani, vigezo vyote vya LAZIMA na LAZIMA WALA USIWAHI lazima vifuatwe, vigezo vyote vya INAPASWA lazima vifuatwe AU visivyo fufufutiliana na thibitisho, na vigezo vyote vya PENDEKEZA lazima vifuatwe AU visivyo fufufutiliana (tunataka vifikiwe angalau). Ikiwa unataka kuingiza maandishi ya thibitisho kama maoni ya jumla, badala ya kuwa maelezo ya busara kwamba hali ni inakubaliwa, anza kifungu cha maandishi na '//' ikifuatiwa na nafasi. Maoni ni karibu kupitia tovuti ya GitHub kama masuala au maombi ya kuvuta Kuna pia orodha ya barua pepe kwa majadiliano ya jumla.

Tunafuraha kutoa habari katika lugha nyingi, hata hivyo, ikiwa kuna mgongano au kutokuwa na usawa kati ya tafsiri, toleo la Kiingereza ni toleo lenye mamlaka.
Ikiwa huu ni mradi wako, tafadhali onyesha hadhi ya nishani yako kwenye ukurasa wa mradi wako! Hadhi ya nishani inaonekana kama hii: Kiwango cha nishani kwa mradi 12724 ni silver Hapa ni jinsi ya kuiweka:
Unaweza kuonyesha hali ya nishani yako kwa kuweka hii katika faili yako ya markdown:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12724/badge)](https://www.bestpractices.dev/projects/12724)
au kwa kuweka hii katika HTML yako:
<a href="https://www.bestpractices.dev/projects/12724"><img src="https://www.bestpractices.dev/projects/12724/badge"></a>


Hizi ni vigezo vya kiwango cha Fedha. Unaweza pia kuangalia vigezo vya kiwango cha Kupita au Dhahabu.

Baseline Series: Kiwango cha Msingi 1 Kiwango cha Msingi 2 Kiwango cha Msingi 3

        

 Misingi 17/17

  • Jumla

    Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

    Open-source Python GRC tool: gap analysis, AI risk statements, OSCAL-first compliance automation. Enterprise-grade evidence integrity (Sigstore + GPG), CycloneDX SBOM, PyPI Trusted Publisher OIDC + PEP 740 attestations.

    Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.
    Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".
    Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.

  • Mahitaji ya awali


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufikie nishani ya kiwango cha kuhitimu. [achieve_passing]

  • Maudhui ya kimsingi ya tovuti ya mradi


    Ya kutosha kwa nishani!

    Habari juu ya jinsi ya kuchangia LAZIMA ijumuishe mahitaji ya michango inayokubalika (k.m., rejea kwa kiwango chochote kinachohitajika cha msimbo). (URL inahitajika) [contribution_requirements]

    https://github.com/allenfbyrd/evidentia/blob/main/CONTRIBUTING.md


  • Usimamizi wa mradi


    Kwa shida ya kutosha kwa nishani.

    Mradi UNAPASWA kuwa na utaratibu wa kisheria ambapo wasanidi wote wa kiasi kisicho kidogo cha programu ya mradi wanathibitisha kwamba wameruhusiwa kisheria kufanya michango hii. Mbinu ya kawaida na rahisi ya kutekeleza hii ni kwa kutumia Cheti cha Msanidi cha Asili (DCO), ambapo watumiaji huongeza "signed-off-by" katika ahadi zao na mradi unaunganisha kwenye tovuti ya DCO. Hata hivyo, hii YAWEZA kutekelezwa kama Makubaliano ya Leseni ya Mchangiaji (CLA), au utaratibu mwingine wa kisheria. (URL inahitajika) [dco]
    DCO ni utaratibu unaopendekeza kwa sababu ni rahisi kutekeleza, kufuatilia katika msimbo wa chanzo, na git inasaidia moja kwa moja kipengele cha "signed-off" kwa kutumia "commit -s". Ili kuwa na ufanisi zaidi ni bora ikiwa nyaraka za mradi zinaeleza maana ya "signed-off" kwa mradi huo. CLA ni makubaliano ya kisheria yanayofafanua masharti ambayo kazi za kiakili zimetolewa leseni kwa shirika au mradi. Makubaliano ya mgawo wa mchangiaji (CAA) ni makubaliano ya kisheria yanayohamisha haki katika kazi ya kiakili kwa chama kingine; miradi haihitajiki kuwa na CAA, kwa kuwa kuwa na CAA huongeza hatari kwamba wachangiaji watarajiwa hawatachangia, hasa ikiwa mpokeaji ni shirika la faida. Apache Software Foundation CLAs (leseni ya mchangiaji wa mtu binafsi na CLA ya kampuni) ni mifano ya CLA, kwa miradi ambayo inaamua kwamba hatari za aina hizi za CLA kwa mradi ni chini ya manufaa yao.

    Single-maintainer project. All commits to date are authored by the project owner (Allen Byrd) under copyright explicitly granted to the project under Apache-2.0. A formal DCO/CLA flow will be adopted at the point a second contributor is onboarded; for now, the legal-authority chain is degenerate (one author = one signer). Apache-2.0 LICENSE: https://github.com/allenfbyrd/evidentia/blob/main/LICENSE.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue kwa uwazi na kuandika muundo wake wa utawala wa mradi (njia ya kufanya maamuzi, ikiwa ni pamoja na majukumu muhimu). (URL inahitajika) [governance]
    Kunahitaji kuwa na njia fulani iliyowekwa vyema ya kuandikwa ya kufanya maamuzi na kutatua migogoro. Katika miradi midogo, hii inaweza kuwa rahisi kama "mmiliki wa mradi na kiongozi hufanya maamuzi yote ya mwisho". Kuna miundo mbalimbali ya utawala, ikiwa ni pamoja na dictator wa wema na meritocracy rasmi; kwa maelezo zaidi, angalia Miundo ya utawala. Mbinu zote mbili za kati (k.m., mtunzaji mmoja) na zisizo za kati (k.m., watunzaji wa kikundi) zimetumika kwa mafanikio katika miradi. Habari za utawala hazihitajiki kuandika uwezekano wa kuunda uma wa mradi, kwa kuwa hiyo ni iwezekanavyo kila wakati kwa miradi ya FLOSS.

    Project governance is documented in GOVERNANCE.md: https://github.com/allenfbyrd/evidentia/blob/main/GOVERNANCE.md. Current model: BDFL (benevolent dictator for life) — Allen Byrd holds final decision authority. Roadmap is published in docs/ROADMAP.md and per-release plans (docs/v0.7.x-plan.md). Decisions on technical direction, scope, and breaking changes are made openly via GitHub Issues and PR discussion.


    Ya kutosha kwa nishani!

    Mradi LAZIMA upitishe kanuni ya mwenendo na kuiweka mahali pa kawaida. (URL inahitajika) [code_of_conduct]
    Miradi inaweza kuweza kuboresha uadilifu wa jamii yao na kuweka matarajio kuhusu tabia inayokubalika kwa kupitisha kanuni ya mwenendo. Hii inaweza kusaidia kuepuka matatizo kabla hayajatokea na kufanya mradi kuwa mahali pa kukaribishwa zaidi ili kuhimiza michango. Hii inapaswa kuzingatia tu tabia ndani ya jamii/mahali pa kazi pa mradi. Mifano ya kanuni za mwenendo ni kanuni ya mwenendo ya kernel ya Linux, Kanuni ya Mwenendo ya Agano la Mchangiaji, Kanuni ya Mwenendo ya Debian, Kanuni ya Mwenendo ya Ubuntu, Kanuni ya Mwenendo ya Fedora, Kanuni ya Mwenendo ya GNOME, Kanuni ya Mwenendo ya Jamii ya KDE, Kanuni ya Mwenendo ya Jamii ya Python, Mwongozo wa Mwenendo wa Jamii ya Ruby, na Kanuni ya Mwenendo ya Rust.

    Contributor Covenant v2.1 adopted at https://github.com/allenfbyrd/evidentia/blob/main/CODE_OF_CONDUCT.md. Reporting channel and enforcement guidelines documented inline.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue kwa uwazi na kuandika hadharani majukumu muhimu katika mradi na wajibu wao, ikiwa ni pamoja na kazi zozote ambazo majukumu hayo lazima yafanywe. Lazima iwe wazi ni nani ana jukumu lipi, ingawa hii haiwezi kuandikwa kwa njia ile ile. (URL inahitajika) [roles_responsibilities]
    Nyaraka kwa utawala na majukumu na wajibu zinaweza kuwa mahali pamoja.

    Roles and responsibilities documented in GOVERNANCE.md: https://github.com/allenfbyrd/evidentia/blob/main/GOVERNANCE.md. Current roles: Maintainer (Allen Byrd) — owns all merge authority, release authority, and security disclosure handling. As collaborators join, a "Triager" role (issue triage, PR review) and "Catalog Curator" role (Tier-A/B/C catalog updates) will be defined explicitly.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweze kuendelea kwa usumbufu mdogo ikiwa mtu yeyote anakufa, anakuwa katika hali ya kudhoofika, au vinginevyo hawezi au hataki kuendelea kusaidia mradi. Hasa, mradi LAZIMA uweze kuunda na kufunga masuala, kukubali mabadiliko yaliyopendekezwa, na kutoa matoleo ya programu, ndani ya wiki moja ya uthibitishaji wa upotevu wa msaada kutoka kwa mtu yeyote mmoja. Hii INAWEZA kufanywa kwa kuhakikisha mtu mwingine ana funguo zozote zinazohitajika, nywila, na haki za kisheria ili kuendelea mradi. Watu binafsi wanaoendesha mradi wa FLOSS WANAWEZA kufanya hii kwa kuweka funguo katika sanduku la kufungia na wosia unaowezesha haki zozote zinazohitajika za kisheria (k.m., kwa majina ya DNS). (URL inahitajika) [access_continuity]

    Concrete continuity plan documented at https://github.com/allenfbyrd/evidentia/blob/main/docs/access-continuity.md. Key elements:

    • Operational SLA: project commits to resuming normal operations (create + close issues, accept proposed changes, release versions) within 7 calendar days of confirmation of loss of support.
    • Keyless signing infrastructure (Sigstore PEP 740 + Trusted Publisher OIDC + cosign keyless) means no offline private keys exist that could be lost with the maintainer. Any successor with repo write access can continue releases without any key transfer.
    • Step-by-step recovery procedure (Step 1 confirm loss; Step 2 GitHub repo + organization access via account-recovery OR fork-and-redirect fallback; Step 3 PyPI project-owner-role transfer; Step 4 GHCR access; Step 5 DNS / domain registrar — none currently held; Step 6 first release post-transfer).
    • Named successor + emergency contact maintained in the maintainer's encrypted password manager + emergency-access designation + will / estate documents. Public disclosure of the successor identity is intentionally avoided per the doc's privacy rationale (avoids social-engineering attempts to claim the project; preserves the maintainer's flexibility to update the designation as relationships change). The OpenSSF criterion text doesn't require public disclosure of the successor identity — it requires that the project MUST be able to continue, which the public doc + the private-side designation jointly accomplish. Auditors can verify the private-side designation exists by direct contact with the maintainer (see SECURITY.md disclosure channel).
    • Plan reviewed at every release per release-checklist.md Step 5 + on a quarterly cadence regardless of release activity.

    Companion governance framing at https://github.com/allenfbyrd/evidentia/blob/main/GOVERNANCE.md §"Continuity and bus factor".


    Kwa shida ya kutosha kwa nishani.

    Mradi INAPASWA kuwa na "bus factor" ya 2 au zaidi. (URL inahitajika) [bus_factor]
    "Bus factor" (pia inajulikana kama "truck factor") ni idadi ya chini ya washiriki wa mradi ambao wanapaswa kutoweka ghafla kutoka kwenye mradi ("kupigwa na basi") kabla ya mradi kusimama kwa sababu ya ukosefu wa wafanyakazi wenye elimu au wenye uwezo. Zana ya truck-factor inaweza kukadiria hii kwa miradi kwenye GitHub. Kwa maelezo zaidi, angalia Kutathmini Bus Factor ya Hifadhi za Git na Cosentino et al.

    Current bus factor is 1 (single maintainer - Allen Byrd). Mitigation: keyless signing infrastructure (no offline keys to lose), Trusted Publisher OIDC bound to the repo (any maintainer with repo write can publish), all process documented in https://github.com/allenfbyrd/evidentia/blob/main/docs/release-checklist.md. Project is in early growth phase; second maintainer will be recruited as the contributor base develops.


  • Nyaraka


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na ramani ya barabara iliyoandikwa inayoeleza kile mradi unakusudia kufanya na kutofanya kwa angalau mwaka unaofuata. (URL inahitajika) [documentation_roadmap]
    Mradi huenda usitimiza ramani ya barabara, na hiyo ni sawa; kusudi la ramani ya barabara ni kusaidia watumiaji na wachangiaji watarajiwa kuelewa mwelekeo unaokusudiwa wa mradi. Haihitaji kuwa na maelezo mengi.

    Roadmap is documented at https://github.com/allenfbyrd/evidentia/blob/main/docs/ROADMAP.md with detailed per-release plans for the v0.7.x line: docs/v0.7.5-plan.md through docs/v0.7.9-plan.md (8-10 week ship target each). v0.8.0 plan also published (https://github.com/allenfbyrd/evidentia/blob/main/docs/v0.8.0-plan.md). Combined horizon exceeds 1 year.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ujumuishe nyaraka za muundo (pia inajulikana kama muundo wa kiwango cha juu) wa programu inayozalishwa na mradi. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). (URL inahitajika) [documentation_architecture]
    Muundo wa programu unaeleza miundo ya msingi ya programu, yaani, vipengele vikuu vya programu, uhusiano kati yao, na mali muhimu za vipengele na uhusiano hivi.

    Canonical architecture document is https://github.com/allenfbyrd/evidentia/blob/main/Evidentia-Architecture-and-Implementation-Plan.md covering the 6-package monorepo structure, OSCAL-first data model, AI integration patterns, collector + integration architecture, and security boundaries. Capability matrix (https://github.com/allenfbyrd/evidentia/blob/main/docs/capability-matrix.md) covers the public surface inventory across 5 surface tiers and 5 risk tiers.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uandike kile mtumiaji anaweza na asiweze kutarajia kwa suala la usalama kutoka kwa programu inayozalishwa na mradi ("mahitaji yake ya usalama"). (URL inahitajika) [documentation_security]
    Haya ni mahitaji ya usalama ambayo programu inakusudiwa kukidhi.

    Security requirements and threat boundary documented in https://github.com/allenfbyrd/evidentia/blob/main/docs/threat-model.md (~58 surfaces across 5 tiers including the v0.7.9 TPRM + vendor-risk-collector additions; explicit in-scope/out-of-scope; assumed-trust assumptions). Per-release security review (most recent: https://github.com/allenfbyrd/evidentia/blob/main/docs/security-review-v0.7.9.md) gives a CVSS/CWE/EPSS-classified view of the active surface. SECURITY.md (https://github.com/allenfbyrd/evidentia/blob/main/SECURITY.md) defines disclosure SLAs and supported-version policy with the supported-versions table refreshed at every release.


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe mwongozo wa "kuanza haraka" kwa watumiaji wapya kuwasaidia kufanya kitu haraka na programu. (URL inahitajika) [documentation_quick_start]
    Wazo ni kuonyesha watumiaji jinsi ya kuanza na kufanya programu ifanye chochote. Hii ni muhimu sana kwa watumiaji watarajiwa kuanza.

    90-second quickstart at https://github.com/allenfbyrd/evidentia/blob/main/docs/quickstart.md. README also has a "Getting Started" section with a 4-step install + first-gap-analysis flow.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufanye jitihada ya kuweka nyaraka kulingana na toleo la sasa la matokeo ya mradi (ikiwa ni pamoja na programu inayozalishwa na mradi). Kasoro yoyote inayojulikana ya nyaraka inayofanya isilingane LAZIMA irekebishwe. Ikiwa nyaraka kwa ujumla ni za sasa, lakini kwa makosa inajumuisha baadhi ya maelezo ya zamani ambayo sio ya kweli tena, ichukue tu kama kasoro, kisha ifuatilie na urekebishe kama kawaida. [documentation_current]
    Nyaraka ZINAWEZA kujumuisha habari kuhusu tofauti au mabadiliko kati ya matoleo ya programu na/au kuunganisha kwa matoleo ya zamani ya nyaraka. Kusudi la kigezo hiki ni kwamba jitihada inafanywa ili kuweka nyaraka kulingana, siyo kwamba nyaraka lazima ziwe kamili.

    Documentation is refreshed every release per docs/release-checklist.md Step 4 (DOC refresh). Version-pinned docs live alongside per-release plan files (docs/v0.7.x-plan.md through docs/v0.7.9-plan.md + docs/v0.8.0-plan.md). All v0.7.9-era staleness items were closed at v0.7.9 ship time: CHANGELOG [Unreleased] gaps for in-flight commits (commit 3315150), README collectors row (Vanta/Drata/BitSight/SSC + Databricks/Snowflake/SQL/Okta), ROADMAP NEXT/PLANNED → SHIPPED for v0.7.5/v0.7.6/v0.7.7, evidentia-collectors pyproject description + keywords. Two earlier-flagged stale strings (CONTRIBUTING.md test count, SECURITY.md supported-versions table) shipped in v0.7.9 P0.6 OpenSSF Silver-tier prep batch (commit 6f862eb).


    Ya kutosha kwa nishani!

    Ukurasa wa mbele wa hifadhi ya mradi na/au tovuti LAZIMA utambulishe na kuunganisha kiungo kwa mafanikio yoyote, ikiwa ni pamoja na nishani hii ya mazoea bora, ndani ya masaa 48 ya kutambua hadharani kwamba ufanikio umepatikana. (URL inahitajika) [documentation_achievements]
    Ufanikio ni seti yoyote ya vigezo vya nje ambavyo mradi umefanya kazi mahususi kukidhi, ikiwa ni pamoja na nishani fulani. Habari hii haihitaji kuwa kwenye ukurasa wa mbele wa tovuti ya mradi. Mradi unaotumia GitHub unaweza kuweka mafanikio kwenye ukurasa wa mbele wa hifadhi kwa kuyaongeza kwenye faili ya README.

    Project achievements (OpenSSF Best Practices badge, OpenSSF Scorecard) are surfaced in the badge cluster at the top of the README: https://github.com/allenfbyrd/evidentia/blob/main/README.md. Live badge embed: OpenSSF Best Practices.


  • Ufikiaji na kimataifa


    Ya kutosha kwa nishani!

    Mradi (tovuti zote za mradi na matokeo ya mradi) INAPASWA kufuata mazoea bora ya ufikiaji ili watu wenye ulemavu bado waweze kushiriki katika mradi na kutumia matokeo ya mradi ambapo ni busara kufanya hivyo. [accessibility_best_practices]
    Kwa programu za wavuti, angalia Miongozo ya Ufikiaji wa Maudhui ya Wavuti (WCAG 2.0) na hati yake inayosaidia Kuelewa WCAG 2.0; angalia pia habari za ufikiaji za W3C. Kwa programu za GUI, zingatia kutumia miongozo ya ufikiaji ya mazingira maalum (kama vile Gnome, KDE, XFCE, Android, iOS, Mac, na Windows). Baadhi ya programu za TUI (k.m., programu za `ncurses`) zinaweza kufanya mambo fulani ili kuzifanya kufikika zaidi (kama mpangilio wa `force-arrow-cursor` wa `alpine`). Programu nyingi za mstari wa amri zinafikika vizuri kama zilivyo. Kigezo hiki mara nyingi ni N/A, k.m., kwa maktaba za programu. Hapa kuna baadhi ya mifano ya hatua za kuchukua au masuala ya kuzingatia:
    • Toa mbadala za maandishi kwa maudhui yoyote yasiyo ya maandishi ili yaweze kubadilishwa kuwa aina nyingine watu wanahitaji, kama vile chapa kubwa, braille, hotuba, alama au lugha rahisi zaidi ( mwongozo wa WCAG 2.0 1.1)
    • Rangi haitumiwi kama njia pekee ya kuona ya kuwasilisha habari, kuashiria kitendo, kuchochea jibu, au kutofautisha kipengele cha kuona. ( mwongozo wa WCAG 2.0 1.4.1)
    • Uwasilishaji wa kuona wa maandishi na picha za maandishi una uwiano wa tofauti wa angalau 4.5:1, isipokuwa kwa maandishi makubwa, maandishi ya bahati mbaya, na nembo ( mwongozo wa WCAG 2.0 1.4.3)
    • Fanya kazi zote zipatikane kutoka kwenye kibodi (mwongozo wa WCAG 2.1)
    • Mradi wa GUI au wa wavuti INAPASWA kupima na angalau kipaza sauti kimoja cha skrini kwenye jukwaa la lengo (k.m., NVDA, Jaws, au WindowEyes kwenye Windows; VoiceOver kwenye Mac & iOS; Orca kwenye Linux/BSD; TalkBack kwenye Android). Programu za TUI ZINAWEZA kufanya kazi kupunguza uchanganyiko wa ziada ili kuzuia usomaji wa ziada na vipaza sauti vya skrini.

    Public surfaces: GitHub repo + GitHub Pages (none yet) + the evidentia-ui SPA (alpha.2). The evidentia-ui frontend uses standard semantic HTML (React + accessible component primitives), keyboard-navigable forms, and ARIA labels on interactive elements. CLI output is plain text (screen-reader friendly by definition; no animated/colored-only UX). Documentation is plain Markdown rendered by GitHub (which provides standard a11y rendering). A formal WCAG 2.1 AA audit of evidentia-ui is planned for v0.8.0+.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA kuwa kimataifa ili kuwezesha upatanifu wa lugha wa rahisi kwa utamaduni, eneo, au lugha ya hadhira lengo. Ikiwa kimataifa (i18n) haihusiki (k.m., programu haizalishi maandishi yanayokusudiwa kwa watumiaji wa mwisho na haipangi maandishi yanayosomeka na binadamu), chagua "haihusiki" (N/A). [internationalization]
    Upatanifu wa lugha "unarejelea upatanifu wa bidhaa, programu au maudhui ya hati ili kukidhi lugha, utamaduni na mahitaji mengine ya soko mahususi la lengo (eneo)." Kimataifa ni "muundo na maendeleo ya bidhaa, programu au maudhui ya hati ambayo huwezesha upatanifu wa lugha wa rahisi kwa hadhira lengo zinazotofautiana katika utamaduni, eneo, au lugha." (Ona "Upatanifu wa Lugha dhidi ya Kimataifa" ya W3C.) Programu inakidhi kigezo hiki kwa kuwa kimataifa tu. Hakuna upatanifu wa lugha kwa lugha nyingine mahususi unaohitajika, kwa kuwa mara tu programu imekuwa kimataifa inawezekana kwa wengine kufanya kazi kwenye upatanifu wa lugha.

    Evidentia produces compliance artifacts (OSCAL JSON/XML, gap reports, risk statements) — its end-user output is structured data targeting US/EU regulatory frameworks (NIST 800-53, ISO 27001, SOC 2, FedRAMP, FFIEC, OCC 2011-12, FRB SR 11-7) which are themselves authored in English. The CLI's operator-facing strings (help text, errors) are in English and intended for technical operators. There is no localized end-user text generation path that would benefit from i18n. The 89 bundled catalogs ship in their authoritative source language (English).


  • Mengine


    Ya kutosha kwa nishani!

    Ikiwa tovuti za mradi (tovuti, hifadhi, na URL za kupakua) zinahifadhi nywila kwa ajili ya uthibitishaji wa watumiaji wa nje, nywila LAZIMA zihifadhiwe kama mificho iliyorudiwa na chumvi kwa-mtumiaji kwa kutumia kanuni ya upanuaji (iliyorudiarudia) wa funguo (k.m., Argon2id, Bcrypt, Scrypt, au PBKDF2). Ikiwa tovuti za mradi hazihifadhi nywila kwa kusudi hili, chagua "haihusiki" (N/A). [sites_password_security]
    Kumbuka kwamba matumizi ya GitHub yanakidhi kigezo hiki. Kigezo hiki kinatumika tu kwa nywila zinazotumika kwa ajili ya uthibitishaji wa watumiaji wa nje kwenye tovuti za mradi (pia inaitwa uthibitishaji wa ndani). Ikiwa tovuti za mradi lazima ziingie kwenye tovuti zingine (pia inaitwa uthibitishaji wa nje), zinaweza kuhitaji kuhifadhi ishara za uidhinishaji kwa kusudi hilo kwa njia tofauti (kwa kuwa kuhifadhi mficho hakuna maana). Hii inatumia kigezo cha crypto_password_storage kwa tovuti za mradi, sawa na sites_https.

    Project sites do not store user passwords. GitHub repo handles its own auth; bestpractices.dev account is on the OpenSSF service; PyPI publishing is via Trusted Publisher OIDC (no API tokens stored). Evidentia OSS edition does not provide a public auth surface that would require password storage.


 Udhibiti wa Mabadiliko 1/1

  • Matoleo ya awali


    Ya kutosha kwa nishani!

    Mradi LAZIMA utunze matoleo ya zamani yaliyotumika mara nyingi ya bidhaa au kutoa njia ya usasishaji kwa matoleo mapya. Ikiwa njia ya usasishaji ni ngumu, mradi LAZIMA uandike jinsi ya kufanya usasishaji (k.m., violesura vilivyobadilika na hatua zilizoanishwa kwa undani ili kusaidia usasishaji). [maintenance_or_update]

    Upgrade path is documented in CHANGELOG.md (https://github.com/allenfbyrd/evidentia/blob/main/CHANGELOG.md) with per-release "Changed", "Fixed", "Removed" sections following Keep a Changelog 1.1.0. SemVer adherence (pre-1.0: minor bumps for new feature surface, patches for fixes) means breaking changes carry an explicit Deprecation notice in the prior release. Supported-versions matrix documented in SECURITY.md. Older versions remain installable from PyPI for the duration of their security-supported window.


 Kuripoti 3/3

  • Mchakato wa kuripoti hitilafu


    Ya kutosha kwa nishani!

    Mradi LAZIMA utumie kifuatiliaji cha masuala kwa ajili ya kufuatilia masuala ya mtu binafsi. [report_tracker]

    GitHub Issues is the project's issue tracker: https://github.com/allenfbyrd/evidentia/issues. Issue templates for bug reports and feature requests live at https://github.com/allenfbyrd/evidentia/tree/main/.github/ISSUE_TEMPLATE.


  • Mchakato wa kuripoti udhaifu


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe sifa kwa waripoti wa ripoti zote za udhaifu zilizotatuliwa katika miezi 12 iliyopita, isipokuwa kwa waripoti wanaoomba kutojulikana. Ikiwa hakuna udhaifu uliotatuliwa katika miezi 12 iliyopita, chagua "haihusiki" (N/A). (URL inahitajika) [vulnerability_report_credit]

    No external vulnerability reports have been received in the last 12 months. Upstream-CVE remediations (e.g., PR #8 addressing litellm + python-multipart) credited the upstream advisory IDs (GHSA-r75f-5x8p-qvmc + 3 others) in the commit + CHANGELOG entry. A "Security Acknowledgments" section will be added to SECURITY.md the first time an external reporter is involved.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na mchakato ulioandikwa kwa ajili ya kujibu ripoti za udhaifu. (URL inahitajika) [vulnerability_response_process]
    Hii ina uhusiano mkubwa na vulnerability_report_process, ambayo inahitaji kuwa kuna njia iliyoandikwa ya kuripoti udhaifu. Pia inahusiana na vulnerability_report_response, ambayo inahitaji majibu kwa ripoti za udhaifu ndani ya kipindi fulani cha muda.

    Vulnerability response process is documented in https://github.com/allenfbyrd/evidentia/blob/main/SECURITY.md with: 3-business-day initial acknowledgement SLA, 10-business-day triage SLA, 90-day coordinated disclosure window (shortenable if upstream fixes exist, lengthenable by reporter agreement), in-scope and out-of-scope definitions, supported-versions matrix, and pointers to PEP 740 attestation + Sigstore/Rekor verification commands. Internal handling steps (triage → fix → CVE assignment → coordinated release → post-mortem) are documented in docs/release-checklist.md.


 Ubora 19/19

  • Viwango vya msimbo


    Ya kutosha kwa nishani!

    Mradi LAZIMA utambulishe miongozo mahususi ya mtindo wa kuandika msimbo kwa lugha kuu inazotumia, na uhitaji kwamba michango kwa ujumla ikidhi. (URL inahitajika) [coding_standards]
    Katika hali nyingi hii inafanywa kwa kurejelea baadhi ya miongozo ya mtindo iliyopo, huenda ikiorodhesha tofauti. Miongozo hii ya mtindo inaweza kujumuisha njia za kuboresha usomaji na njia za kupunguza uwezekano wa kasoro (ikiwa ni pamoja na udhaifu). Lugha nyingi za programu zina miongozo moja au zaidi ya mtindo inayotumika sana. Mifano ya miongozo ya mtindo ni pamoja na miongozo ya mtindo ya Google na Viwango vya Kuandika Msimbo wa SEI CERT.

    Coding standards are documented in CONTRIBUTING.md (https://github.com/allenfbyrd/evidentia/blob/main/CONTRIBUTING.md) and ruff config (https://github.com/allenfbyrd/evidentia/blob/main/pyproject.toml): Python 3.12+ following PEP 8 (enforced by ruff E/W rules), PEP 257 docstrings, isort import ordering (ruff I), pyflakes hygiene (F), pyupgrade modernization (UP), flake8-bugbear common-bug rules (B), flake8-simplify simplifications (SIM). Type annotations are required everywhere (mypy strict). Pydantic v2 models for all external inputs (extra="forbid"). TypeScript frontend uses ESLint + Prettier (config in packages/evidentia-ui/).


    Ya kutosha kwa nishani!

    Mradi LAZIMA utekeleze kiotomatiki mtindo wake wa kuandika msimbo uliochaguliwa ikiwa kuna angalau zana moja ya FLOSS inayoweza kufanya hivyo katika lugha zilizochaguliwa. [coding_standards_enforced]
    Hii INAWEZA kutekelezwa kwa kutumia zana za uchambuzi mkako na/au kwa kulazimisha msimbo kupitia vifaa vya kurekebisha msimbo. Katika hali nyingi usanidi wa zana umejumuishwa katika hifadhi ya mradi (kwa kuwa miradi tofauti inaweza kuchagua usanidi tofauti). Miradi INAWEZA kuruhusu vighairi vya mtindo (na kwa kawaida itaruhusu); ambapo vighairi vinatokea, LAZIMA viwe nadra na viandikwe katika msimbo katika maeneo yao, ili vighairi hivi viweze kukaguliwa na ili zana ziweze kuzishughulikia kiotomatiki baadaye. Mifano ya zana kama hizo ni pamoja na ESLint (JavaScript), Rubocop (Ruby), na devtools check (R).

    ruff (Python) + mypy strict (Python types) + ESLint (TypeScript) + Prettier (TypeScript formatting) all enforced as required CI status checks on every push and PR via https://github.com/allenfbyrd/evidentia/blob/main/.github/workflows/test.yml. Pre-commit hooks (https://github.com/allenfbyrd/evidentia/blob/main/.pre-commit-config.yaml) catch issues before commit-time.


  • Mfumo wa ujenzi unaofanya kazi


    Ya kutosha kwa nishani!

    Mifumo ya kujenga kwa binari za asili LAZIMA iheshimu vigezo (vya mazingira) vya mkusanyaji na vya kiunganishi vilivyopitishwa kwao (k.m., CC, CFLAGS, CXX, CXXFLAGS, na LDFLAGS) na kuvipitisha kwenye viito vya mkusanyaji na vya kiunganishi. Mfumo wa kujenga UNAWEZA kuvipanua na bendera za ziada; LAZIMA USIBADILISHE thamani zilizotolewa na zake mwenyewe. Ikiwa hakuna binari za asili zinazozalishwa, chagua "haihusiki" (N/A). [build_standard_variables]
    Inapaswa kuwa rahisi kuwezesha vipengele maalum vya kujenga kama Address Sanitizer (ASAN), au kutii mazoea bora ya ugumu wa usambazaji (k.m., kwa kuwezesha kwa urahisi bendera za mkusanyaji kufanya hivyo).

    Pure Python + TypeScript, no native binaries.


    Ya kutosha kwa nishani!

    Mfumo wa kujenga na usakinishaji UNAPASWA kuhifadhi taarifa za utatuzi ikiwa zimeombwa katika bendera husika (k.m., "install -s" haitumiwa). Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_preserve_debug]
    K.m., kuweka CFLAGS (C) au CXXFLAGS (C++) inapaswa kuunda taarifa husika za utatuzi ikiwa lugha hizo zinatumika, na hazipaswi kuondolewa wakati wa usakinishaji. Taarifa za utatuzi zinahitajika kwa msaada na uchambuzi, na pia ni muhimu kwa kupima uwepo wa vipengele vya ugumu katika binari zilizokusanywa.

    Pure Python; debug info is implicit via traceback.


    Ya kutosha kwa nishani!

    Mfumo wa kujenga kwa programu iliyozalishwa na mradi LAZIMA USIJENGA kwa njia ya kujirudia saraka ndogo ikiwa kuna utegemezi wa kukatana katika saraka ndogo. Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_non_recursive]
    Taarifa ya utegemezi wa ndani ya mfumo wa kujenga wa mradi inahitaji kuwa sahihi, vinginevyo, mabadiliko ya mradi huenda yasijenge vizuri. Mijengo isiyo sahihi inaweza kusababisha kasoro (ikiwa ni pamoja na udhaifu). Kosa la kawaida katika mifumo mikubwa ya kujenga ni kutumia "ujenzi wa kujirudia" au "make ya kujirudia", yaani, mlingano wa saraka ndogo zinazojumuisha faili za chanzo, ambapo kila saraka ndogo inajengwa kwa uhuru. Isipokuwa kila saraka ndogo ni huru kabisa, hii ni kosa, kwa sababu taarifa ya utegemezi si sahihi.

    uv workspace builds packages atomically; no recursive Make pattern.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweze kurudia mchakato wa kuzalisha taarifa kutoka faili za chanzo na kupata matokeo sawa ya biti-kwa-biti. Ikiwa hakuna ujenzi unaofanyika (k.m., lugha za uandishi ambapo msimbo wa chanzo unatumika moja kwa moja badala ya kukusanywa), chagua "haihusiki" (N/A). [build_repeatable]
    Watumiaji wa GCC na clang wanaweza kupata chaguo la -frandom-seed kuwa na manufaa; katika hali fulani, hii inaweza kutatuliwa kwa kulazimisha aina fulani ya mpangilio. Mapendekezo zaidi yanaweza kupatikana kwenye tovuti ya ujenzi unaorudiwa.

    Builds are deterministic given uv.lock pinning. uv.lock (https://github.com/allenfbyrd/evidentia/blob/main/uv.lock) pins every transitive dependency by hash. Wheel building via hatchling is deterministic given fixed inputs. CI rebuilds on each commit produce reproducible artifacts (verifiable by re-running release.yml against a tag — same wheel hashes emerge).


  • Mfumo wa usakinishaji


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe njia ya kusakinisha na kuondoa kwa urahisi programu iliyozalishwa na mradi kwa kutumia mkataba unaotumika sana. [installation_common]
    Mifano ni pamoja na kutumia meneja wa kifurushi (kwa mfumo au kiwango cha lugha), "make install/uninstall" (inasaidia DESTDIR), chombo katika muundo wa kawaida, au picha ya mashine pepe katika muundo wa kawaida. Mchakato wa usakinishaji na uondoaji (k.m., kifurushi chake) UNAWEZA kutekelezwa na mtu wa tatu mradi tu ni FLOSS.

    Standard Python install: pip install evidentia (or pip install "evidentia[gui]" for full extras). Uninstall: pip uninstall evidentia. Container alternative: docker pull ghcr.io/allenfbyrd/evidentia:latest. Documented in https://github.com/allenfbyrd/evidentia/blob/main/docs/quickstart.md.


    Ya kutosha kwa nishani!

    Mfumo wa usakinishaji kwa watumiaji wa mwisho LAZIMA uheshimu mkataba wa kawaida kwa kuchagua eneo ambapo vitu vilivyojengwa vinaandikwa kwa wakati wa usakinishaji. Kwa mfano, ikiwa inasakinisha faili kwenye mfumo wa POSIX lazima iheshimu kigezo cha mazingira cha DESTDIR. Ikiwa hakuna mfumo wa usakinishaji au hakuna mkataba wa kawaida, chagua "haihusiki" (N/A). [installation_standard_variables]

    Python pip install respects standard --user / --prefix / virtualenv conventions; no autotools-style DESTDIR pattern applies.


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe njia kwa wasanidi programu wanaoweza kusakinisha haraka matokeo yote ya mradi na mazingira ya msaada yanayohitajika kufanya mabadiliko, ikiwa ni pamoja na majaribio na mazingira ya majaribio. Hii LAZIMA ifanywe kwa kutumia mkataba unaotumika sana. [installation_development_quick]
    Hii INAWEZA kutekelezwa kwa kutumia chombo kilichozalishwa na/au hati za usakinishaji. Utegemezi wa nje kwa kawaida utasakinishwa kwa kuita mfumo na/au meneja wa kifurushi cha lugha, kwa external_dependencies.

    Dev bootstrap: git clone ..., then uv sync --all-packages installs all 6 packages + dev deps + tests in one command. Documented in CONTRIBUTING.md (https://github.com/allenfbyrd/evidentia/blob/main/CONTRIBUTING.md). devcontainer support also shipped (https://github.com/allenfbyrd/evidentia/blob/main/.devcontainer/) for one-click VS Code / GitHub Codespaces bring-up.


  • Vipengee vilivyotunzwa nje


    Ya kutosha kwa nishani!

    Mradi LAZIMA uorodheshe utegemezi wa nje kwa njia inayoweza kuchakatwa na kompyuta. (URL inahitajika) [external_dependencies]
    Kwa kawaida hii inafanywa kwa kutumia mkataba wa meneja wa kifurushi na/au mfumo wa ujenzi. Kumbuka kwamba hii inasaidia kutekeleza installation_development_quick.

    External dependencies are declared in 7 pyproject.toml files (workspace root + 6 packages) and resolved/locked in https://github.com/allenfbyrd/evidentia/blob/main/uv.lock. CycloneDX SBOM (spec 1.6) is emitted on every release and attached to the GitHub Release for full computer-processable SBOM consumption.


    Ya kutosha kwa nishani!

    Miradi LAZIMA ifuatilie au kwa muda mrefu iangalie utegemezi wao wa nje (ikiwa ni pamoja na nakala za urahisi) kugundua udhaifu unaojulikana, na kurekebisha udhaifu unaoweza kutumiwa vibaya au kuthibitisha kuwa hauwezi kutumiwa vibaya. [dependency_monitoring]
    Hii inaweza kufanywa kwa kutumia zana ya kichambua chanzo / zana ya kuangalia utegemezi / zana ya uchambuzi wa muundo wa programu kama OWASP's Dependency-Check, Sonatype's Nexus Auditor, Synopsys' Black Duck Software Composition Analysis, na Bundler-audit (kwa Ruby). Baadhi ya waendesha kifurushi wanajumuisha taratibu za kufanya hii. Ni kubaliwa ikiwa udhaifu wa vipengele hauwezi kutumiwa vibaya, lakini uchambuzi huu ni mgumu na wakati mwingine ni rahisi kusasisha au kurekebisha sehemu.

    Dependabot scans weekly per https://github.com/allenfbyrd/evidentia/blob/main/.github/dependabot.yml (uv, npm, GitHub Actions, Docker — grouped + security-isolated). osv-scanner runs against the SBOM at every release per docs/release-checklist.md Step 5 (most recent: 0 CVEs at v0.7.8). GitHub Code Scanning + Secret Scanning + Dependency Graph all enabled at the repo level.


    Ya kutosha kwa nishani!

    Mradi LAZIMA au:
    1. fanya iwe rahisi kutambua na kusasisha vipengele vinavyotumiwa tena vilivyotunzwa nje; au
    2. tumia vipengele vya kawaida vinavyotolewa na mfumo au lugha ya programu.
    Kisha, ikiwa udhaifu unapatikana katika kipengele kilichotumiwa tena, itakuwa rahisi kusasisha kipengele hicho. [updateable_reused_components]
    Njia ya kawaida ya kutimiza kigezo hiki ni kutumia mifumo ya usimamizi wa kifurushi ya mfumo na lugha ya programu. Programu nyingi za FLOSS zinasambazwa na "maktaba za urahisi" ambazo ni nakala za ndani za maktaba za kawaida (labda zilizoachana). Kwa yenyewe, hiyo ni sawa. Hata hivyo, ikiwa programu *lazima* itumie nakala hizi za ndani (zilizoachanishwa), basi kusasisha maktaba za "kawaida" kama sasisho la usalama litaacha nakala hizi za ziada bado zenye udhaifu. Hii ni suala hasa kwa mifumo ya wingu; ikiwa mtoa huduma ya wingu anasasisha maktaba zao za "kawaida" lakini programu haitazitumia, basi masasisho hayasaidii kweli. Angalia, k.m., "Chromium: Kwa nini bado haiko katika Fedora kama kifurushi sahihi" na Tom Callaway.

    All reused dependencies come through standard package managers (PyPI for Python, npm for the frontend, GHCR for container images). Updates flow through Dependabot grouped PRs (config: https://github.com/allenfbyrd/evidentia/blob/main/.github/dependabot.yml). No vendored convenience copies of upstream code.


    Ya kutosha kwa nishani!

    Mradi UNAPASWA kuepuka kutumia vitendakazi na API zilizokubaliwa kuwa hazitumiki tena au zilizopitwa na wakati ambapo mbadala wa FLOSS zinapatikana katika seti ya teknolojia inayotumia ("kifurushi cha teknolojia" yake) na kwa wengi wa watumiaji ambao mradi unasaidia (ili watumiaji wawe na ufikiaji wa haraka wa mbadala). [interfaces_current]

    Codebase is on Python 3.12+ only (no legacy compat shims), Pydantic v2 (current major), latest LangChain/LiteLLM, FastAPI 0.110+, httpx (modern async-capable HTTP). ruff UP rule group continuously surfaces pyupgrade opportunities; backwards-compat hacks are rejected per project standard. Frontend is on Vite 8 + React 18 + TypeScript 5+ (current).


  • Seti ya majaribio otomatiki


    Ya kutosha kwa nishani!

    Seti ya majaribio ya kiotomatiki LAZIMA itumike kwenye kila ukaguzi wa kuingia kwenye hifadhi iliyoshirikiwa kwa angalau tawi moja. Seti hii ya majaribio LAZIMA itoe ripoti ya mafanikio au kushindwa kwa majaribio. [automated_integration_testing]
    Mahitaji haya yanaweza kuonekana kama sehemu ndogo ya test_continuous_integration, lakini yanazingatia majaribio tu, bila kuhitaji uunganisho wa kuendelea.

    test.yml runs pytest + ruff + mypy + frontend tests on every push to main and every pull request, with success/failure status reported as a required check. Workflow: https://github.com/allenfbyrd/evidentia/blob/main/.github/workflows/test.yml. Run history: https://github.com/allenfbyrd/evidentia/actions.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uongeze majaribio ya kurudi nyuma kwa seti ya majaribio ya kiotomatiki kwa angalau 50% ya hitilafu zilizorekebisha ndani ya miezi sita iliyopita. [regression_tests_added50]

    Per docs/release-checklist.md Step 5 + the pre-release-review v4 process, every fix lands with a regression test. Recent examples: F-V08-DAST-1 / F-V08-DAST-3 (v0.7.8 schema-fidelity fixes) shipped with new pytest cases for the affected endpoints; F-007 (v0.7.7.1 Dockerfile pin) shipped with the docker-run smoke test elevation; F-V08-CR-MEDIUM Snowflake quoted-identifier (v0.7.9 carry-over) shipped with 4 new TestQuotedIdentifierEscape tests; F-V08-CR-MEDIUM Power BI 1MB guard (v0.7.9 carry-over) shipped with 4 new TestPushRowsByteCapBisection tests; v0.7.9 P0.4 Continuous-review HIGH findings (H-1/H-2/H-3/H-4/H-5 + F-V09-S1) shipped with stuck-cursor-guard tests + SIG BYO partial-match test + vendor_id=None ingest test. Test count growth across patch releases (965 → 977 → 1103 → 1259 → 1540) primarily reflects regression tests for fixed bugs + tests for new features.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na seti ya majaribio ya kiotomatiki ya FLOSS inayotoa angalau 80% ya usakinishaji wa taarifa ikiwa kuna angalau zana moja ya FLOSS inayoweza kupima kigezo hiki katika lugha iliyochaguliwa. [test_statement_coverage80]
    Zana nyingi za FLOSS zinapatikana kupima usakinishaji wa majaribio, ikiwa ni pamoja na gcov/lcov, Blanket.js, Istanbul, JCov, na covr (R). Kumbuka kwamba kutimiza kigezo hiki sio uhakika kwamba seti ya majaribio ni ya kina, badala yake, kushindwa kutimiza kigezo hiki ni kiashiria kizito cha seti ya majaribio mbaya.

    Met. Statement coverage measured by Codecov (independent FLOSS test-coverage service): 81.87% at v0.7.10 ship, exceeding the 80% threshold. Coverage is published on every push to main via .github/workflows/test.yml (codecov-action@v6.0.0 SHA-pinned). The codecov.yml config locks the project gate at 80% with a 1% per-PR drop threshold so regressions fail CI. Live badge: https://codecov.io/gh/allenfbyrd/evidentia. Coverage scope + omit rationale documented in pyproject.toml [tool.coverage.run]. Tooling: pytest-cov (FLOSS, MIT-licensed) + Codecov upload. https://codecov.io/gh/allenfbyrd/evidentia


  • Upimaji wa utendaji mpya


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na sera rasmi iliyoandikwa kwamba kadri utendakazi mkubwa mpya unaongezwa, majaribio ya utendakazi mpya LAZIMA yaongezwe kwenye seti ya majaribio ya kiotomatiki. [test_policy_mandated]

    CONTRIBUTING.md PR checklist line: "New features include at least one test" — required, not optional. https://github.com/allenfbyrd/evidentia/blob/main/CONTRIBUTING.md. Reinforced by docs/release-checklist.md Step 5 which gates every tag on test additions for new feature surface (a tag cannot be cut if a release includes new public surface without paired tests).


    Ya kutosha kwa nishani!

    Mradi LAZIMA ujumuishe, katika maelekezo yake yaliyoandikwa kwa mapendekezo ya mabadiliko, sera kwamba majaribio yataongezwa kwa utendakazi mkubwa mpya. [tests_documented_added]
    Hata hivyo, hata sheria isiyo rasmi inakubaliwa mradi majaribio yaongezwe kimakosa.

    The test-addition policy is documented in the CONTRIBUTING.md PR checklist: https://github.com/allenfbyrd/evidentia/blob/main/CONTRIBUTING.md.


  • Bendera za maonyo


    Ya kutosha kwa nishani!

    Miradi LAZIMA iwe na ukali wa juu zaidi na maonyo katika programu iliyozalishwa na mradi, iwezekanavyo vitendo. [warnings_strict]
    Baadhi ya maonyo hayawezi kuwashwa kwa ufanisi kwenye miradi fulani. Kinachohitajika ni ushahidi kwamba mradi unajitahidi kuwasha bendera za onyo ambapo inaweza, ili makosa yagundulika mapema.

    mypy runs with strict = true (config in pyproject.toml) — implies disallow_untyped_defs, disallow_incomplete_defs, check_untyped_defs, disallow_untyped_decorators, no_implicit_optional, warn_redundant_casts, warn_unused_ignores, warn_return_any, no_implicit_reexport, and strict_equality. Pydantic v2 plugin is enabled for full schema validation in type-check. Ruff rule set is broad (8 rule groups). Type-checking covers all 138 source files at zero errors.


 Usalama 13/13

  • Maarifa ya maendeleo yenye usalama


    Ya kutosha kwa nishani!

    Mradi LAZIMA utekeleze kanuni za muundo salama (kutoka "know_secure_design"), pale inapohusika. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). [implement_secure_design]
    Kwa mfano, matokeo ya mradi yanapaswa kuwa na mipangilio salama ya kuzuia makosa (maamuzi ya ufikiaji yanapaswa kukataa kwa chaguo-msingi, na usakinishaji wa mradi unapaswa kuwa salama kwa chaguo-msingi). Pia yanapaswa kuwa na kikuu cha kati kikamilifu (kila ufikiaji ambao unaweza kuwekwa kikomo lazima ufanyiwe ukaguzi wa mamlaka na usiweze kuvukwa). Kumbuka kwamba katika hali fulani kanuni zitagombana, na katika hali hiyo chaguo lazima lifanywe (k.m., taratibu nyingi zinaweza kufanya mambo kuwa magumu zaidi, kukiuka "uchumi wa utaratibu" / iweke rahisi).

    Secure-design principles applied throughout the codebase per docs/threat-model.md and docs/security-review-v0.7.9.md:

    • Least privilege: GitHub Actions workflows default to read-only permissions with per-job elevation; collector API tokens are scoped to read-only (vendors:read for Vanta, vendor-inventory only for Drata, etc.).
    • Fail-safe defaults: Pydantic extra="forbid", offline mode is default-on for the AI module unless explicitly opted in, security-headers default OFF on localhost binds + auto-ON for non-loopback (--security-headers flag).
    • Complete mediation: every external input passes through validate_within() / Pydantic validation before reaching business logic; vendor inventory validates UUID-shape IDs at storage layer.
    • Separation of privilege: cosign keyless OIDC + Trusted Publisher OIDC (no long-lived secrets to compromise); vendor-risk-collector tokens never flow through CLI args or REST request bodies (env-var only).
    • Defense in depth: ruff + mypy + CodeQL + osv-scanner + Scorecard + manual /security-review per release. The v0.7.9 cycle ran THREE Continuous-variant pre-release-reviews mid-cycle (P0.1 close + P0.3+P0.2-first close + P0.4-quartet close) plus the final Pre-tag run at ship — surfacing 18 findings across the cycle (5 inline-fixed HIGH + 1 inline-fixed LOW security + 12 deferred MEDIUM/LOW).
    • Input validation as allowlist: Pydantic schemas enumerate accepted shapes; everything else rejected. CSV-injection defenses (CWE-1236) via _csv_safe in TPRM concentration-report + DD-questionnaire CSV/XLSX render paths.
    • Cross-host pagination guards: BitSight + Vanta + Drata pagination loops refuse to follow next URLs pointing off-host or to a TLS-downgraded HTTP scheme (CWE-319 defense, v0.7.9 P0.4 Continuous F-V09-S1).

  • Tumia mazoea mazuri ya msingi ya usimbuaji

    Kumbuka kwamba programu fulani haihitaji kutumia taratibu za usimbuaji. Ikiwa mradi wako unazalisha programu ambayo (1) inajumuisha, inaamilisha, au inafanya usimbuaji kuwa hai, na (2) inaweza kutolewa kutoka Marekani (US) kwenda nje ya Marekani au kwa raia asiye wa Marekani, inaweza kuwa ni lazima kisheria kuchukua hatua chache za ziada. Kawaida hii inahusisha tu kutuma barua pepe. Kwa maelezo zaidi, tazama sehemu ya usimbuaji ya Kuelewa Teknolojia ya Chanzo Wazi & Udhibiti wa Usafirishaji wa Marekani.

    Ya kutosha kwa nishani!

    Mifumo ya usalama ya chaguo-msingi ndani ya programu inayozalishwa na mradi LAZIMA ISITEGEMEE algoriti za kriptologia au hali zenye udhaifu mkubwa unaojulikana (k.m., algoriti ya hash ya kriptologia ya SHA-1 au hali ya CBC katika SSH). [crypto_weaknesses]
    Wasiwasi kuhusu hali ya CBC katika SSH unajadiliwa katika CERT: SSH CBC vulnerability.

    No SHA-1 (for security purposes), no CBC mode in SSH context, no deprecated TLS versions (relies on Python stdlib + httpx defaults which negotiate TLS 1.2+ with AEAD ciphers).


    Ya kutosha kwa nishani!

    Mradi INAPASWA kusaidia algoriti nyingi za kriptologia, ili watumiaji waweze kubadilisha haraka ikiwa moja imevunjwa. Algoriti za kawaida za funguo za simetria ni pamoja na AES, Twofish, na Serpent. Mbadala wa algoriti za hash za kriptologia za kawaida ni pamoja na SHA-2 (ikiwa ni pamoja na SHA-224, SHA-256, SHA-384 NA SHA-512) na SHA-3. [crypto_algorithm_agility]

    Hash functions: hashlib supports the full SHA-2 (224/256/384/512) and SHA-3 family; Evidentia uses SHA-256 by default but the digest helper at packages/evidentia-core/src/evidentia_core/oscal/digest.py is parameterizable. Sigstore signing supports both ECDSA P-256 and RSA — the cosign CLI lets users pick. TLS cipher selection is delegated to httpx/urllib3 which negotiate from a wide modern AEAD ciphersuite list.


    Ya kutosha kwa nishani!

    Mradi LAZIMA usaidie kuhifadhi vitambulisho vya uthibitishaji (kama vile nywila na ishara za nguvu) na funguo za kibinafsi za kriptologia katika mafaili ambayo yametengwa na habari nyingine (kama vile mafaili ya usanidi, hifadhidata, na kumbukumbu), na kuruhusu watumiaji kusasisha na kubadilisha bila ukusanyaji upya wa msimbo. Ikiwa mradi haufanyi usindikaji wa vitambulisho vya uthibitishaji na funguo za kibinafsi za kriptologia, chagua "haihusiki" (N/A). [crypto_credential_agility]

    Where Evidentia handles outbound credentials (LLM provider API keys, collector credentials for Postgres/MySQL/Snowflake/Databricks/Tableau/Power BI/Okta/ServiceNow + the v0.7.9 vendor-risk APIs Vanta/Drata/BitSight/SecurityScorecard), they are read from environment variables or external config files (never embedded in code, never accepted via CLI args or REST request bodies). Operator updates the env file; no code recompilation required. Documented in docs/quickstart.md and per-collector docs (sql-collectors.md, cloud-dw-collectors.md, bi-integrations.md, tprm.md).


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA kusaidia itifaki salama kwa mawasiliano yake yote ya mtandao, kama vile SSHv2 au zaidi, TLS1.2 au zaidi (HTTPS), IPsec, SFTP, na SNMPv3. Itifaki zisizo salama kama vile FTP, HTTP, telnet, SSLv3 au mapema zaidi, na SSHv1 ZINAPASWA kuzimwa kwa chaguo-msingi, na kuzimwa tu ikiwa mtumiaji anaisanidi mahususi. Ikiwa programu iliyozalishwa na mradi haiesaidii mawasiliano ya mtandao, chagua "haihusiki" (N/A). [crypto_used_network]

    All outbound network communication is HTTPS / TLS 1.2+ via httpx (LLM provider calls, BI publish API calls) or HTTPS via the SDK clients (databricks-sdk, snowflake-connector-python, etc.). No legacy protocol support (FTP, telnet, plain HTTP for non-localhost) is implemented or exposed.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA, ikiwa inasaidia au inatumia TLS, kusaidia angalau toleo la TLS 1.2. Kumbuka kuwa kilichotangulia TLS kiliitwa SSL. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_tls12]

    All TLS connections go through Python's ssl module via httpx/urllib3 which negotiate TLS 1.2 or 1.3 by default against modern endpoints. Older TLS versions are not enabled.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti cha TLS kwa chaguo-msingi inapotumia TLS, ikiwa ni pamoja na rasilimali ndogo. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_certificate_verification]
    Kumbuka kuwa uthibitishaji usio sahihi wa cheti cha TLS ni kosa la kawaida. Kwa maelezo zaidi, angalia "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" na Martin Georgiev et al. na "Do you trust this application?" na Michael Catanzaro.

    Default certificate verification is on for httpx (verify=True is the default), urllib3, and all collector SDKs (databricks-sdk, snowflake-connector-python, tableau-server-client, etc.). Certificate verification is never disabled in project code; only an operator-set env var would change this behavior.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti kabla ya kutuma vichwa vya HTTP na habari ya kibinafsi (kama vile vidakuzi salama). Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_verification_private]

    Same code path as crypto_certificate_verification — httpx and underlying urllib3/ssl perform the TLS handshake (with cert verification) before any application-layer request is sent. Headers including credentials are only emitted after the validated TLS session is established. No project code bypasses this ordering.


  • Kutolewa kwa usalama


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweke saini kwa kriptologia matoleo ya matokeo ya mradi yanayokusudiwa kwa matumizi ya kila mahali, na LAZIMA kuwe na mchakato ulioandikwa unaoweleza watumiaji jinsi wanaweza kupata funguo za umma za saini na kuthibitisha saini. Funguo ya kibinafsi kwa saini hizi LAZIMA ISIWE kwenye tovuti zinazosambaza moja kwa moja programu kwa umma. Ikiwa matoleo hayakusudiwa kwa matumizi ya kila mahali, chagua "haihusiki" (N/A). [signed_releases]
    Matokeo ya mradi ni pamoja na msimbo wa chanzo na matokeo yoyote yaliyozalishwa pale inapohusika (k.m., mifumo inayotekelezeka, vifurushi, na vyombo). Matokeo yaliyozalishwa YANAWEZA kuwekwa saini tofauti na msimbo wa chanzo. Hizi ZINAWEZA kutekelezwa kama lebo za git zilizowekwa saini (kwa kutumia saini za kidijitali za kriptologia). Miradi YAWEZA kutoa matokeo yaliyozalishwa tofauti na zana kama vile git, lakini katika hali hizo, matokeo tofauti LAZIMA yawekwe saini tofauti.

    Every PyPI release wheel + sdist is signed via Sigstore PEP 740 attestations (keyless OIDC, signed via the Sigstore public good instance and recorded in the Rekor transparency log). Container images are signed by cosign keyless OIDC against the image digest. SLSA L3 build provenance attestations are emitted for every release. Verification commands documented at https://github.com/allenfbyrd/evidentia/blob/main/docs/sigstore-quickstart.md. Private signing keys do not exist on the distribution side (keyless flow), satisfying the "private key not on distribution site" requirement by construction.


    Kwa shida ya kutosha kwa nishani.

    INAPENDEKEZWA kuwa katika mfumo wa udhibiti wa toleo, kila lebo muhimu ya toleo (lebo ambayo ni sehemu ya toleo kuu, toleo dogo, au kurekebishwa udhaifu uliotangazwa hadharani) iwekwe saini kwa kriptologia na iweze kuthibitishwa kama ilivyoelezwa katika signed_releases. [version_tags_signed]

    Git tags are not currently GPG/SSH-signed at the tag-object level. Release artifacts are signed via Sigstore PEP 740 + cosign keyless OIDC + SLSA L3 provenance, which is a stronger and more verifiable provenance chain than git tag signing (the artifact's identity is bound to the GitHub Actions workflow + commit SHA in the OIDC token). Adding signed git tags is a planned addition in v0.8.0 (will use the same Sigstore identity).


  • Masuala mengine ya usalama


    Ya kutosha kwa nishani!

    Matokeo ya mradi LAZIMA yafanye ukaguzi wa pembejeo zote kutoka vyanzo visivyoaminika ili kuhakikisha ni halali (*orodha zinazokubalika*), na kukataa pembejeo zisizo halali, ikiwa kuna vizuizi vyovyote kwenye data kabisa. [input_validation]
    Kumbuka kuwa kulinganisha ingizo dhidi ya orodha ya "miundo mibaya" (aka *orodha za kukataza*) kwa kawaida haitoshi, kwa sababu washambuliaji mara nyingi wanaweza kuepuka orodha ya kukataza. Hasa, nambari zinabadilishwa kuwa miundo ya ndani na kisha kuangaliwa ikiwa ziko kati ya chini na juu zao (ikiwa ni pamoja), na vifungu vya maandishi vinaangaliwa ili kuhakikisha kuwa ni ruwaza halali za maandishi (k.m., UTF-8 halali, urefu, sintaksia, n.k.). Baadhi ya data inaweza kuhitaji kuwa "chochote kabisa" (k.m., kipakia faili), lakini hizi kwa kawaida zingekuwa nadra.

    All external inputs are validated via Pydantic v2 with extra="forbid" (reject unknown fields). Specific patterns: validate_within() helper for path inputs (CWE-22 prevention); SQL collector queries are parameterized + LIMIT-bounded; Snowflake quoted-identifier escaping per Snowflake's documented double-up convention (v0.7.9 carry-over hardening); YAML loaded via yaml.safe_load (CWE-502 prevention); subprocess calls are shell=False (CWE-78 prevention); LLM provider calls validate the provider/model allowlist before dispatch. Catalog 22-character column-truncation, 17-endpoint schema-fidelity validation, offline-mode enforcement, BitSight/Vanta/Drata/SSC cross-host pagination guards (cross-host + TLS-scheme downgrade refusal per CWE-319), and CSV-injection defenses on TPRM concentration-report + DD-questionnaire user-content cells (CWE-1236 via _csv_safe OWASP single-quote prefix) all act as additional allowlist gates. The Power BI 1MB byte-cap guard (v0.7.9 carry-over) splits batches that exceed Power BI's documented 1MB request-body limit. Documented in docs/threat-model.md and docs/security-review-v0.7.9.md.


    Ya kutosha kwa nishani!

    Taratibu za kuimarisha ZINAPASWA kutumiwa katika programu iliyozalishwa na mradi ili kasoro za programu ziwe na uwezekano mdogo wa kusababisha udhaifu wa usalama. [hardening]
    Taratibu za kuimarisha zinaweza kujumuisha vichwa vya HTTP kama Sera ya Usalama wa Maudhui (CSP), bendera za mkusanyaji ili kupunguza mashambulizi (kama vile -fstack-protector), au bendera za mkusanyaji ili kuondoa tabia isiyofafanuliwa. Kwa madhumuni yetu upendeleo mdogo hauhesabiwi kuwa utaratibu wa kuimarisha (upendeleo mdogo ni muhimu, lakini tofauti).

    Hardening posture:

    • Container: distroless-style image (Dockerfile pins python by SHA digest); HEALTHCHECK present; non-root user where applicable.
    • HTTP API: FastAPI with Pydantic-validated request models; response headers include strict Content-Type; no stack-trace leakage in error responses (F-002, F-003 fixed in v0.7.7).
    • CI: workflow permissions default read-only with per-job elevation; SHA-pinned actions throughout (Scorecard Pinned-Dependencies signal green); CodeQL custom QL pack to suppress validate_within false positives.
    • Supply chain: PEP 740 + SLSA L3 + cosign signing closes the publish-side hardening loop.

    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe kesi ya uhakika inayosababisha kwa nini mahitaji yake ya usalama yanakidhi. Kesi ya uhakika LAZIMA ijumuishe: maelezo ya muundo wa tishio, utambulisho wazi wa mipaka ya kuaminiwa, hoja kwamba kanuni za muundo salama zimetumika, na hoja kwamba udhaifu wa kawaida wa utekelezaji wa usalama umekabiliana nao. (URL inahitajika) [assurance_case]
    Kesi ya uhakika ni "mwili wa ushahidi ulioandikwa unaotoa hoja inayoshawishi na halali kwamba seti maalum ya madai muhimu kuhusu mali za mfumo ziko na sababu za kutosha kwa programu maalum katika mazingira maalum" ("Uhakika wa Programu Kwa kutumia Miundo ya Kesi ya Uhakika Iliyopangwa", Thomas Rhodes et al, NIST Interagency Report 7608). Mipaka ya kuaminiwa ni mipaka ambapo data au utekelezaji hubadilisha kiwango chake cha kuaminiwa, k.m., mipaka ya seva katika programu ya kawaida ya wavuti. Ni ya kawaida kuorodhesha kanuni za muundo salama (kama vile Saltzer na Schroeer) na udhaifu wa kawaida wa utekelezaji wa usalama (kama vile OWASP top 10 au CWE/SANS top 25), na kuonyesha jinsi kila moja unavyokabiliana. Kesi ya uhakika ya BadgeApp inaweza kuwa mfano wenye manufaa. Hii inahusiana na documentation_security, documentation_architecture, na implement_secure_design.

    Assurance case is composed across three documents:

    1. Threat model: https://github.com/allenfbyrd/evidentia/blob/main/docs/threat-model.md — ~58 surfaces in 5 tiers (v0.7.9 ships TPRM module + 4 vendor-risk-collector additions to the surface inventory), explicit trust boundaries, in-scope/out-of-scope definitions.
    2. Security review (most recent release): https://github.com/allenfbyrd/evidentia/blob/main/docs/security-review-v0.7.9.md — applies CVSS/CWE/EPSS classification to the active surface and demonstrates that secure-design principles have been applied (least privilege, fail-safe defaults, complete mediation, separation of privilege, defense in depth) and common implementation weaknesses have been countered (CWE-22, CWE-78, CWE-89, CWE-502, CWE-209, CWE-319 cross-host TLS-downgrade, CWE-1236 CSV injection, CWE-693 protection-mechanism failure, etc.). The /pre-release-review v4 skill's mandatory /security-review invocations at Steps 3, 4, 6.C produce the input the document synthesizes.
    3. Accepted-findings registry: https://github.com/allenfbyrd/evidentia/blob/main/docs/enterprise-grade-accepted-findings.md — documents residual-risk acceptance with explicit rationale.

 Uchanganuzi 2/2

  • Uchambuzi tuli wa msimbo


    Ya kutosha kwa nishani!

    Mradi LAZIMA utumie angalau zana moja ya uchanganuzi tuli yenye sheria au mbinu za kutafuta udhaifu wa kawaida katika lugha au mazingira yaliyochanganuliwa, ikiwa kuna angalau zana moja ya FLOSS inayoweza kutekeleza kigezo hiki katika lugha iliyochaguliwa. [static_analysis_common_vulnerabilities]
    Zana za uchambuzi tuli ambazo zimeundwa hasa kutafuta udhaifu wa kawaida zina uwezekano mkubwa wa kuzipata. Hata hivyo, kutumia zana zozote za tuli kwa kawaida itasaidia kupata baadhi ya matatizo, kwa hivyo tunashauri lakini hatunahitaji hii kwa kiwango cha nishani ya 'kupita'.

    CodeQL ships with the default security-and-quality query packs which include rules for the OWASP Top 10 and CWE Top 25 (path traversal, SQL injection, XSS, command injection, deserialization vulns, hardcoded credentials, regex DoS, etc.). All these queries run on every push/PR.


  • Uchambuzi wa msimbo wa nguvu za ziada


    Ya kutosha kwa nishani!

    Ikiwa programu iliyozalishwa na mradi inajumuisha programu iliyoandikwa kwa kutumia lugha isiyosalama ya kumbukumbu (k.m., C au C++), basi angalau zana moja ya nguvu (k.m., fuzzer au kitafutaji cha programu ya wavuti) LAZIMA itumike kwa kawaida kwa pamoja na utaratibu wa kugundua matatizo ya usalama wa kumbukumbu kama vile uandikaji zaidi wa kipengele. Ikiwa mradi hauzalishi programu iliyoandikwa katika lugha isiyosalama ya kumbukumbu, chagua "haihusiki" (N/A). [dynamic_analysis_unsafe]
    Mifano ya taratibu za kugundua matatizo ya usalama wa kumbukumbu ni pamoja na Address Sanitizer (ASAN) (inapatikana katika GCC na LLVM), Memory Sanitizer, na valgrind. Zana nyingine zinazoweza kutumika ni pamoja na thread sanitizer na undefined behavior sanitizer. Madai ya kila mahali pia yaweza kufanya kazi.

    Evidentia is implemented in pure Python (memory-safe) for the backend and TypeScript (memory-safe) for the evidentia-ui frontend. No memory-unsafe language is used in project source.



Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua Allen Byrd na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Ingizo la nishani ya mradi linamilikiwa na: Allen Byrd.
Ingizo liliundwa siku 2026-05-02 06:10:52 UTC, iliyosasishwa mara ya mwisho siku 2026-05-16 02:28:02 UTC. Ilipata mara ya mwisho nishani ya kupita siku 2026-05-03 21:20:04 UTC.