Preuve
La collecte de preuves est l'un des aspects essentiels de l'architecture de référence DevSecOps. Les preuves de conformité créent la trace d'audit que les auditeurs recherchent lors d'un audit de conformité. L'un des objectifs de DevSecOps consiste à générer et stocker de manière automatisée des preuves dans des éléments de verrouillage des preuves vérifiables.
La façon dont les pipelines DevSecOps traitent les preuves (format de fichier et structure de casier) comprend deux versions distinctes :
- Informations collectées v2 (informations collectées basées sur des actifs)
- Informations collectées v1 (existantes)
Création de preuves
Les preuves diffèrent des artefacts qui sont créés par les étapes de pipeline, par exemple, les résultats de test d'unité ou les fichiers XML ou JSON. Chaque tâche doit rendre compte à plusieurs outils qui gèrent les preuves, comme la création, le formatage et le stockage de preuves.
N'importe quel test, n'importe quelle vérification ou n'importe quelle analyse peut produire des preuves dans une étape de pipeline à l'aide des étapes des outils ou pipelines DevSecOps qui sont illustrés dans l'image ci-après. Les outils d' DevSecOps s doivent être capables de recevoir le résultat de la tâche, de créer la preuve, puis de la stocker dans le coffre-fort des preuves.
Le format des preuves contient le résultat de la tâche (réussite ou échec), des liens vers les artefacts créés et des liens vers n'importe quel incident qui est créé en fonction du résultat de la tâche.
Ces outils se concentrent uniquement sur la collecte de preuves et ne modifient en rien le comportement de votre processus de génération. Le pipeline de référence DevSecOps ne se rompt pas lorsqu'une tâche échoue. Une image peut être générée et déployée avec des tests qui échouent et des vulnérabilités si les preuves des vérifications et des échecs existent. L'équipe est avertie, une demande de changement créée durant le déploiement contient les preuves de ces incidents, et elle est approuvée manuellement.
Flux de preuves
Le diagramme suivant montre comment les preuves sont traitées et comment elles passent par les étapes de l'intégration continue et du déploiement continu.
Chaque élément de preuve qui est collecté au cours des différentes étapes de l'architecture DevOps est stocké dans des éléments de verrouillage des preuves vérifiables. Lors du déploiement, ces preuves sont collectées pour créer un récapitulatif de preuves qui est sauvegardé dans le casier de preuves à la fin de l'exécution de déploiement.
Le récapitulatif de preuves est connecté à la demande de changement, qui est publiée dans le magasin de demandes de changement. Lors d'une approbation manuelle de demande de changement, l'approbateur a connaissance des incidents trouvés lors de la génération. De plus, le récapitulatif est soumis au Security and Compliance Center.
Informations collectées v2 (format en cours)
Verrouilleur de preuve v2
Contrairement à la version v1, les informations collectées sont stockées dans une hiérarchie à plat, où chaque élément de preuve est identifié par son propre hachage SHA256, ce qui fournit une couche de protection de l'intégrité (c'est-à-dire que toute modification du contenu des informations collectées peut être détectée). Comme chaque élément d'informations collectées est lié à un ou plusieurs actifs, les algorithmes de récapitulation des informations collectées découvrent les informations collectées pertinentes en fonction des actifs (par opposition aux ID d'exécution de pipeline dans les casiers d'informations collectées v1 ).
La seule hiérarchie est la différenciation des types et un regroupement de hachage similaire à la structure des objets de hachage Git.
Example
.
└── raw/
├── assets/
│ └── xx/
│ └── abcdef123456789/
│ ├── evidences/
│ │ ├── 00abcdef123456789
│ │ └── 01abcdef123456789
│ └── index.json
├── attachments/
│ ├── aa/
│ │ └── abcdef123456789/
│ │ └── content
│ └── ab/
│ └── abcdef123456789/
│ └── content
├── cd/
│ ├── c9b77749-fd59-4d32-bbdb-18e55db1615d/
│ └── summary.json
| └── evdience-checks.json
├── cc/
│ ├── absd7749-fd59-4d32-bbdb-18e55db1615d/
│ └── summary.json
| └── evdience-checks.json
└── evidences/
├── 00/
│ └── abcdef123456789/
│ └── index.json
└── 01 /
└── abcdef123456789/
└── index.json
Collection d'informations collectées v2
Les informations collectées v2 doivent être collectées aussi près que possible du processus qui a créé le résultat pour les informations collectées. Après chaque exécution d'examen, après chaque test par exemple.
Pour collecter des preuves, le script collect-evidence peut être utilisé dans les pipelines DevSecOps.
Format d'informations collectées v2
Un élément d'informations collectées représente le résultat d'un examen, d'un test, etc. Les informations collectées sont toujours connectées à au moins un actif unique. Plusieurs actifs sont autorisés, par exemple une suite de tests de bout en bout unique qui teste probablement plusieurs actifs ensemble.
Un actif représente quelque chose que vous pouvez tester, analyser, etc., tel qu'un Git commit dans un référentiel ou un image docker, ou tout actif generic avec un URI.
Les types Evidence et Asset représentent le schéma des éléments de verrouillage v2: preuve et actif. Le schéma utilise une syntaxe typescript, mais vous pouvez le convertir pour utiliser un schéma JSON.
type SHA1 = string; // 40 character string representing a SHA-1 hash in hexadecimal format
type SHA256 = string; // 64 character string representing a SHA256 hash in hexadecimal format
type IssueURL = string; // Link to issues on a git service provide like GitHub or GitLab
type RepositoryURL = string; // Link to a git repository
type AssetURI = string; // URI of an Asset, like an image or a repository link and git hash
type FileName = string; // file basename of the attachment
interface Evidence {
version: 2;
id: SHA256;
date: string;
evidence_type_id: string;
evidence_type_version: string;
origin: {
// scope defines a contextual set for multiple evidence, usually a SHA256 identifier or a CI/CD run ID
scope: SHA256;
// any further IDs can be used to determine evidence origin, see example
[index: string]: string;
},
details: {
result: 'success' | 'failure' | 'pending';
tool: string;
// field "details" can have any arbitrary key-value pairs to provide metadata
[index: string]: string;
}
attachments: Record<string, string> | EvidenceAssetAttachment[];
assets: string[] | EvidenceAssetAttachment[];
issues: IssueURL[],
findings?: IncidentFinding[];
}
export interface IncidentFinding {
id: string;
url: string;
due_date: string;
first_found?: string;
severity: ("high", "medium", "low", "critical, "informational");
has_exempt: boolean;
found_status: ("new", "existing", "autoclosed", "readonly");
}
export interface EvidenceAssetAttachment {
url: string; // hash of the asset or attachment
hash: string; // complete url of the asset or attachment
uri?: string; // name of the asset
}
interface Asset {
version: 1;
id: SHA256;
uri: AssetURI;
date: string;
type: 'commit' | 'image' | 'generic';
origin: {
// any IDs can be used to determine asset origin, see example
[index: string]: string;
},
details: Record<string, string>,
// Assets can relate to each other, for example
// an Image Asset can relate to the Git Commit Asset
// it was built from on code level
related: SHA256[];
}
Example
Exemple d'actif v2
{
"version": "1",
"id": "cdd3ee20188d2f5bfb7f14bdb9c7fa99b22184ca195d9fa0a953dfbe9b1769cb",
"uri": "https://github.ibm.com/cocoa-test/e2e-hello-compliance-app-20220412084808399.git#8c2a65373cb4fd27bccff646e8bdf63d02cae856",
"origin": {
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/40111714589c4f7099032529b26a7a63:fd3f2bf6-00f1-417f-b1a2-7df894223115::",
"pipeline_run_id": "a5e89ecc-a413-4dcb-b129-ff870ef3be85",
"pipeline_id": "66b583d9-3d1b-4b34-9e3a-cb807bf0c5ab"
},
"details": {
"sha": "8c2a65373cb4fd27bccff646e8bdf63d02cae856",
"repository": "https://github.ibm.com/cocoa-test/e2e-hello-compliance-app-20220412084808399.git"
},
"date": "2022-04-20T09:26:46.226Z",
"type": "commit",
"related": [
"26a0f02126461e6505d5001d50ac71e585c280479a01cc70e36397a784440bf8"
]
}
Exemple d'informations collectées v2
{
"version": "2",
"id": "3fd209270fbaf46137ec3966affac2a431a835e750301c7c44d583e0e426e29e",
"date": "2022-04-20T09:33:43.782Z",
"evidence_type_id": "com.ibm.code_vulnerability_scan",
"evidence_type_version": "1.0.0",
"details": {
"result": "failure",
"tool": "cra"
},
"origin": {
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/779c0808c946b9e15cc2e63013fded8c:68213c68-4794-4d5e-ab50-f33d0d6190e4::",
"pipeline_id": "c17f18a6-24dd-4949-abb7-2b374f4691b6",
"pipeline_run_id": "d7a88836-72a1-402b-bb28-701439a543ae",
"pipeline_run_url": "https://cloud.ibm.com/devops/pipelines/tekton/c17f18a6-24dd-4949-abb7-2b374f4691b6/runs/d7a88836-72a1-402b-bb28-701439a543ae/code-compliance-checks/run-stage/?env_id=ibm:yp:us-south",
"scope": "117458e26512b0308d93cf6852958e5e875294a982d2b4ea2e9f463b4551a846"
},
"assets": [
{
"hash": "cdd3ee20188d2f5bfb7f14bdb9c7fa99b22184ca195d9fa0a953dfbe9b1769cb",
"uri": "https://github.ibm.com/cocoa-test/e2e-hello-compliance-app-20220412084808399.git#8c2a65373cb4fd27bccff646e8bdf63d02cae856",
"url": "https://s3.private.us-south.cloud-object-storage.appdomain.cloud/test/assets/cdd3ee20188d2f5bfb7f14bdb9c7fa99b22184ca195d9fa0a953dfbe9b1769cb/index.json"
}
],
"issues": [
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/1",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/2",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/3",
],
"findings": [
{
"id": "CVE-2022-42011",
"due_date": "2024-04-20",
"severity": "medium",
"first_found": "2024-03-06",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/3",
"found_status": "new",
"has_exempt": true
},
{
"id": "CVE-2022-42010",
"due_date": "2024-04-20",
"severity": "medium",
"first_found": "2024-03-06",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/1",
"found_status": "existing",
"has_exempt": false
},
{
"id": "CVE-2023-34969",
"due_date": "2024-04-20",
"severity": "medium",
"first_found": "2024-03-06",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/2",
"found_status": "existing",
"has_exempt": true
}
],
"attachments": [
{
"hash": "9a841ef856a5de813dbe440b102b9bff3ca1831630292cff7323c557704f386b",
"url": "https://s3.private.us-south.cloud-object-storage.appdomain.cloud/test/assets/9a841ef856a5de813dbe440b102b9bff3ca1831630292cff7323c557704f386b/index.json"
}
]
}
Récapitulatif des informations collectées v2
Le pipeline DevSecOps crée un document récapitulant les preuves. Ce document contient la plus récente de toutes les preuves créées lors de chacune des constructions d'intégration continue qui déploient une image, ainsi que les preuves créées lors du déploiement lui-même. Le récapitulatif est créé pour la demande de changement requise pour déployer une étape. Ce format de preuve n'est pas encore pris en charge par l'intégration Security and Compliance Center.
interface Summary {
version: '2.0'; // schema version
date: string; // ISO-8601, UTC, ie. YYYY-MM-DDThh:mm:ssZ
toolchain_crn: string; // CRN of the toolchain that generated the summary
pipeline_id: string; // ID of the pipeline that generated the summary
pipeline_run_id: string; // ID of the pipeline run that generated the summary
evidences: Evidence[];
}
Ce récapitulatif n'effectue aucune agrégation de résultats. Il s'agit des données brutes des informations collectées v2 collectées, car elles ont été trouvées pour les actifs associés à une demande de changement.
Informations collectées v1 (ancien format)
v1, verrouilleur de preuve
Les preuves et les artefacts connexes, tels que des journaux et des résultats de test, sont stockés dans des éléments de verrouillage des preuves. Les canalisations étant facilement supprimables, elles sont considérées comme non durables. Pour permettre la création d'une règle de conservation et d'un journal d'audit, les données de preuve liées à la conformité sont stockées dans des casiers.
Git Repos and Issue Tracking
Bien qu'il ne contienne pas les fonctions de conservation de données de Cloud Object Storage, Git est une simple implémentation d'un casier de preuves.
La structure de dossier et de fichier de l'élément de verrouillage des preuves Git est semblable à l'implémentation Cloud Object Storage :
/raw
├── ci
| └── _PIPELINE_RUN_ID_A1
| └── _PIPELINE_RUN_ID_A2
| └── ..
| └── _PIPELINE_RUN_ID_An
| ├── artifacts
| └── evidences
│── cd
| └── _PIPELINE_RUN_ID_B1
| └── _PIPELINE_RUN_ID_B2
| └── ..
| └── _PIPELINE_RUN_ID_Bn
| ├── artifacts
| └── evidences
IBM Cloud Object Storage
Pour plus d'informations sur les compartiments Object Storage, voir Utilisation de compartiments IBM Cloud Object Storage comme casier de preuves.
Collection d'informations collectées v1
La collection d'informations collectées v1 est la collection d'informations collectées existante. Pour refuser la collecte d'informations collectées v1, voir Désactivation de la collecte d'informations collectées v1 existante.
Selon le cycle de vie de l' DevOps, les flux d'intégration continue et de déploiement continu peuvent être divisés en trois étapes : le code, la construction et le déploiement.
L'architecture DevOps divise ces flux en quatre étapes en distinguant le déploiement de préproduction du déploiement de production. Actuellement, l'architecture de référence DevSecOps inclut le déploiement de préproduction et le déploiement de production dans la même étape.
Les informations collectées sont collectées à partir des étapes du script collect-témoigner de chaque étape. L'image ci-après illustre les étapes en cours dans les pipelines de référence qui produisent des preuves.
Etape Code
Au cours de l'étape Code, les preuves sont collectées pour les sous-étapes suivantes :
- Détection de secrets
- Résultats de test d'unité
- Analyse de vulnérabilité de code, vérification CIS et vérification de nomenclature au moyen de Code Risk Analyzer
Etape de génération
Au cours de l'étape Build, les preuves sont collectées pour les sous-étapes suivantes :
- Analyse Vulnerability Advisor
- Signature d'image
Étape de déploiement
Au cours de l'étape Deploy, les preuves sont collectées pour les sous-étapes suivantes :
- Création d'une demande de changement
- Approbation de la demande de changement
- Tests spécifiques au service
- Tests d'acceptation
- Fermeture de la demande de changement
Format d'informations collectées v1
Le type Evidence représente le schéma des preuves. Le schéma utilise une syntaxe typescript, mais vous pouvez le convertir pour utiliser un schéma JSON.
interface Evidence {
evidence_type_id: string; // name of the evidence
evidence_type_version: string; // version of the evidence schema
date: string; // ISO-8601, UTC
toolchain_crn: string;
pipeline_id: string;
pipeline_run_id: string;
result: 'success' | 'failure';
issues: string[]; // list of issues that were opened to track 'failed' state
log: Artifact[]; // logs related to the evidence
subject: string; // asset url for the evidence
subjects: string[]; // a piece of evidence can be relevant for multiple asset in v2
artifacts: Artifact[]; // additional artifacts related to the evidence
tool: string; | undefined // the tool related to the evidence (optional)
[origin]: {
url: string; // origin of the evidence, e.g. path github where the task resides;
version: string; // version of the task, e.g. git commit representing the code level used for that task
}
[key: string]: any; // additional fields, described by `evidence_type_id` and `evidence_type_version`
}
interface Artifact {
url: string;
hash: string;
}
Certaines des zones du schéma sont propres aux chaînes d'outils et aux pipelines Tekton :
toolchain_crn: string;
pipeline_id: string;
pipeline_run_id: string;
Ces champs identifient la tâche spécifique d'intégration continue ou de déploiement continu qui a produit la preuve. Ils peuvent également contenir des informations provenant de toute tâche d'intégration continue ou de déploiement continu
si elles servent le même objectif. Ces zones identifient la taille de la portée, de la plus large à la plus étroite, dans l'ordre suivant : toolchain_crn -> pipeline_id -> pipeline_run_id.
Ce schéma est sauvegardé dans le casier de preuves à l'aide du format JSON. Le format des preuves qui est collecté dans diverses étapes de pipeline n'est pas différent. Actuellement, leur chemin d'accès enregistré indique l'étape du pipeline, telle que l'intégration continue ou le déploiement continu.
Example
{
"evidence_type_id": "com.ibm.dynamic_scan",
"evidence_type_version": "1.0.0",
"date": "2022-04-01T09:00:59.703Z",
"result": "failure",
"pipeline_id": "f9ab90d6-31a8-4b02-99b7-d2055ef0ee3c",
"pipeline_run_id": "9f93b02d-dbb3-4249-96e3-0739c6201779",
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/40111714589c4f7099032529b26a7a63:2618d2b8-0531-4778-9b13-9ef1a40afe29::",
"log": [
{
"hash": null,
"url": "https://cloud.ibm.com/devops/pipelines/tekton/f9ab90d6-31a8-4b02-99b7-d2055ef0ee3c/runs/9f93b02d-dbb3-4249-96e3-0739c6201779?env_id=ibm:yp:us-south"
}
],
"subject": "docker://us.icr.io/cocoa-e2e/hello-compliance-app-test:20220401083914-master-76c13d7e9fe67379f04319c8e8095b1cc623acae@sha256:090ab641c5371e48cf263119162140e3c925b8041e0220f1397528da2828a30d",
"subjects": [
"docker://us.icr.io/cocoa-e2e/hello-compliance-app-test:20220401083914-master-76c13d7e9fe67379f04319c8e8095b1cc623acae@sha256:090ab641c5371e48cf263119162140e3c925b8041e0220f1397528da2828a30d"
],
"artifacts": [
{
"hash": "4e2cf12ffdf5438666be334106302f3e40cd0152ee1f26002cbc8bbcb5470796",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-evidence-locker-20220331113709516/blob/master/raw/attachments/4e/2cf12ffdf5438666be334106302f3e40cd0152ee1f26002cbc8bbcb5470796/content"
}
],
"issues": [
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220331113709516/issues/6",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220331113709516/issues/7",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220331113709516/issues/8"
],
"tool": "owasp-zap-ui"
}
Où evidence_collection_subject est l'URL de référentiel (repository_url) pour une analyse de référentiel et l'URL Artifactory (artifactory_url) pour une analyse d'image.
Récapitulatif des informations collectées v1
Le pipeline DevSecOps crée un document récapitulant les preuves. Ce document est basé sur les preuves qui sont créées durant chacune des générations d'intégration continue qui déploient une image, et sur les preuves qui sont créées durant le déploiement proprement dit. Le résumé est créé pour la demande de modification nécessaire au déploiement de toute étape ; il est également utilisé par l'intégration d' Security and Compliance Center.
Le format et les zones du récapitulatif de preuves sont spécifiés à l'aide de la syntaxe typescript :
interface Summary {
version: '1.0'; // schema version
date: string; // ISO-8601, UTC, ie. YYYY-MM-DDThh:mm:ssZ
toolchain_crn: string; // CRN of the toolchain that generated the summary
pipeline_id: string; // ID of the pipeline that generated the summary
pipeline_run_id: string; // ID of the pipeline run that generated the summary
evidences: Evidence[];
}
Example
{
"date": "23-43-2020 UTC",
"version": "1.0",
"pipeline_run_id": 12345, // this is the id of the CD pipeline that deploys in prod, not all data below may come from this pipeline
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
// In each subsection result and evidence_type_id are MANDATORY
"evidences": [{
// com.ibm is needed to identify evidence collected with IBM code and not by someone else;
// Partial: CM-3(6) CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT
// The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards]
// are under configuration management.
// Control result is "passed" if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled
// if the status is not the expected one, then it's a FAIL no matter what. Later on, lack of issues may prevent CR approval though.
"evidence_type_id": "com.ibm.detect_secret",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"repository_url": "https://git.acme.org/acme-repo",
"repository_revision": "asz33dkejkkjdkkl34",
"repository_branch": master,"
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // there could be multiple repos
"evidence_type_id": "com.ibm.detect_secret",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// SA-11(4) DEVELOPER SECURITY TESTING AND EVALUATION | MANUAL CODE REVIEWS
// The organization requires the developer of the information system, system component, or information system service to perform a
// manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques].
// Partial: CM-3(b) Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration
// for security impact analyses;
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.code_review",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issue": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // multiple repos
"evidence_type_id": "com.ibm.code_review",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE
//The organization establishes the following restrictions on the use of open source software:
// [Assignment: organization-defined restrictions].
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled AND issues have been opened and there are no issues expired AND prod CR approved manually
"evidence_type_id": "com.ibm.ossc_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // multiple repos
"evidence_type_id": "com.ibm.ossc_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system
// before implementing the changes on the operational system.
// Partial: SA-11(b). Perform [Selection (one or more): unit; integration; system; regression]
// testing/evaluation at [Assignment: organization-defined depth and coverage];
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.unit_test_config",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}nce
"script_control_hash": "jhfkdusd", // this is the hash of the script used to run the control
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // multiple repos
"evidence_type_id": "com.ibm.unit_test_config",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system
// before implementing the changes on the operational system.
// Partial: SA-11(b). Perform [Selection (one or more): unit; integration; system; regression]
// testing/evaluation at [Assignment: organization-defined depth and coverage];
// SI-7(9) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | VERIFY BOOT PROCESS
// The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.unit_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.unit_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [334,152,542], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.functional_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.functional_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.integration_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.integration_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.acceptance_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342],// link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.acceptance_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342],// link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE
// The organization establishes the following restrictions on the use of open source software:
// [Assignment: organization-defined restrictions].
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened and there are no issues expired AND prod CR approved manually
"evidence_type_id": "com.ibm.ossc",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.ossc",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// SA-11(1) DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS
// The organization requires the developer of the information system, system component, or information system service to employ static code
// analysis tools to identify common flaws and document the results of the analysis.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.static_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.static_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial CM-4(1) SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS
// The organization analyzes changes to the information system in a separate test environment before implementation in an operational
// environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// SA-11 DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS
// The organization requires the developer of the information system, system component, or information system service to employ dynamic code
// analysis tools to identify common flaws and document the results of the analysis.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.dynamic",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.dynamic",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.vulnerability_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"],/ the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.vulnerability_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"],/ the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// build input
// Partial: SI-7(12) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
// The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior
// to execution.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the checksum is verified OR
// 3- the cheksum is not verified AND issues have been opened AND prod CR approved manually)
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// Partial: SI-7(12) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
// The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior
// to execution.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.container_images",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mybaseimage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342 ], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": [ "yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.container_images",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of the scan
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mybaseimage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342 ], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": [ "yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.packages",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mydependentpackage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": ["yes"|"no"]// yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.packages",
"version": "1.0.0",
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mydependentpackage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": ["yes"|"no"]// yes: this is an auditable step; no: this is a non auditable step
// there could be other artifacts that serve as build input
}, {
// build output: images or config files, calico policies...
// Partial: CM-5(3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS
// The information system prevents the installation of [Assignment: organization-defined software and firmware components]
// without verification that the component has been digitally signed using a certificate that is recognized and approved by
// the organization.
// Partial: SI-7(6) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION
// The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
// Partial: SI-7(15) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION
// The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the signature is verified OR
// 3- the signatures are not verified AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.images_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the image
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.images_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the image
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.files_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the file
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.files_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the file
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-2(1)(c) BASELINE CONFIGURATION | REVIEWS AND UPDATES
// As an integral part of information system component installations and upgrades.
// Partial: CM-2(2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY
// The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline
// configuration of the information system.
// CM-2(6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
// The organization maintains a baseline configuration for information system development and test environments that is managed
// separately from the operational baseline configuration.
// CM-3(1)(a) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document proposed changes to the information system;
// CM-3(1)(e) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document all changes to the information system;
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains a link to the to-be-baseline
// CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system before implementing the changes on
// the operational system.
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains test results and issues opened while testing
"evidence_type_id": "com.ibm.preprod_change_request",
"version": "1.0.0",
"result": ["passed" | "failed"], // passed auto-approved or approved, failed otherwise.
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"id": "https://change_tool/1213", // link to the preproduction change request on the same baseline of the production one
"status": ["auto-approved", "approved", "rejected"], // status of the change request
"approvers": ["name1","name2", ..., "nameN"], // name of the approvers
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-2(1)(c) BASELINE CONFIGURATION | REVIEWS AND UPDATES
// As an integral part of information system component installations and upgrades.
// Partial: CM-2(2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY
// The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline
// configuration of the information system.
// CM-2(6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
// The organization maintains a baseline configuration for information system development and test environments that is managed
// separately from the operational baseline configuration.
// CM-3(1)(a) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document proposed changes to the information system;
// CM-3(1)(e) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document all changes to the information system;
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains a link to the to-be-baseline
// CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system before implementing the changes on
// the operational system.
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains test results and issues opened while testing
// CM-3(b) b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves
// CM-3(c) Documents configuration change decisions associated with the information system;
// such changes with explicit consideration for security impact analyses;
// CM-3(d) d. Implements approved configuration-controlled changes to the information system;
// CM-3 (1)(d) Prohibit changes to the information system until designated approvals are received;
// Control passed if:
// 1- CR contains links to the approval records
// CM-3(1)(c) Highlight proposed changes to the information system that have not been approved or disapproved by [
// Assignment: organization-defined time period];
// Control passed if:
// 1- If rejected, CR contains links to the denial records
// CM-3(4) CONFIGURATION CHANGE CONTROL | SECURITY REPRESENTATIVE
// The organization requires an information security representative to be a member of the [Assignment: organization-defined
// configuration change control element].
// Control passed if:
// 1- One of the security scan failed AND
// 2- manual approval has been requested AND
// 3- there are at least two approvers AND
// 4- One of the approvers is the security focal
// CM-3 (1)(d) Prohibit changes to the information system until designated approvals are received;
"evidence_type_id": "com.ibm.prod_change_request",
"version": "1.0.0",
"result": ["passed" | "failed"], // passed auto-approved or approved, failed otherwise.
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"id": "https://change_tool/1213", // link to the production change request
"status": ["auto-approved", "approved", "rejected"], // status of the change request
"approvers": ["name1","name2", ..., "nameN"], // name of the approvers
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}]
}