Policy Evaluation

framework: soc2_type1
controls:
  - CC6.1
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos:
      - acme/backend
bundle:
  signing:
    private_key_path: ~/.evidence/keys/private.pem

framework: invalid_framework  # Not recognized
controls: []  # At least one control required
sources:
  github:
    # Missing required fields

Configuration validation failed:
  - framework: must be one of [soc2_type1, soc2_type2]
  - controls: must contain at least one control
  - sources.github.token_env: required field missing
  - sources.github.org: required field missing
  - sources.github.repos: required field missing

Validating GitHub credentials...
  → Testing authentication
  → Checking token scopes
  ✓ Token valid
  ✓ Scopes: repo:read, read:org

Validating AWS credentials...
  → Testing STS GetCallerIdentity
  → Checking IAM permissions
  ✓ Credentials valid
  ✓ Account: 123456789012

Validating Google Workspace credentials...
  → Testing service account
  → Checking domain-wide delegation
  ✓ Service account valid
  ✓ Scopes authorized

✗ Validation failed

Error: GitHub token has insufficient scopes
Required: repo:read, read:org
Actual: public_repo

Update token scopes and try again.

Validating signing key...
  → Checking file exists
  → Verifying key format
  → Testing key permissions
  ✓ Private key valid (Ed25519)
  ✓ File permissions: 600 (secure)

✗ Signing key validation failed

Error: Private key file has insecure permissions (644)
Expected: 600 (owner read/write only)

Fix with: chmod 600 ~/.evidence/keys/private.pem

// SDK checks token scopes before use
const scopes = await getTokenScopes(token);

const forbidden = ['repo', 'admin:org', 'delete_repo', 'write:org'];
const hasForbidden = scopes.some(scope => forbidden.includes(scope));

if (hasForbidden) {
  throw new Error('Token has forbidden write scopes');
}

{
  "Effect": "Allow",
  "Action": [
    "iam:Get*",
    "iam:List*",
    "cloudtrail:Describe*",
    "cloudtrail:Get*",
    "logs:Describe*"
  ]
}

{
  "Effect": "Deny",
  "Action": [
    "iam:Create*",
    "iam:Delete*",
    "iam:Update*",
    "iam:Put*",
    "cloudtrail:Create*",
    "cloudtrail:Delete*",
    "logs:Create*",
    "logs:Delete*"
  ]
}

Collecting from GitHub...
  → Checking rate limit: 4,856 / 5,000 remaining
  → Fetching organization settings
  → Checking rate limit: 4,855 / 5,000 remaining
  → Fetching repository list
  ...

⚠ Rate limit approaching (98 remaining)
  Pausing collection...
  Rate limit resets at 2026-01-09T14:00:00Z (in 5 minutes)
  Waiting...

✓ Rate limit reset
  Resuming collection...

// SDK scans artifacts for forbidden patterns
const forbiddenPatterns = [
  /AKIA[0-9A-Z]{16}/,  // AWS access key
  /-----BEGIN (PRIVATE|RSA) KEY-----/,  // Private keys
  /ghp_[a-zA-Z0-9]{36}/,  // GitHub token
  /sk_live_[a-zA-Z0-9]+/,  // Stripe key
];

for (const artifact of artifacts) {
  for (const pattern of forbiddenPatterns) {
    if (pattern.test(artifact.content)) {
      throw new Error(`Forbidden content detected in ${artifact.filename}`);
    }
  }
}

✗ Collection failed

Error: Forbidden content detected
File: sources/github/commit_abc123.json
Pattern: AWS access key (AKIA...)

This indicates a configuration error or security issue.
evidence SDK never collects secrets or source code.

Validating bundle size...
  → Calculating total size
  → Total: 35.2 KB
  ✓ Within limit (50 MB)

✗ Bundle creation failed

Error: Bundle size (75.3 MB) exceeds maximum (50 MB)

Options:
  1. Increase limit: bundle.max_size_mb: 100
  2. Reduce scope: Limit repos or log groups
  3. Disable verbose manifest

Validating artifact count...
  → Total artifacts: 127
  ✓ Within limit (10,000)

✗ Collection failed

Error: Too many artifacts (12,456 > 10,000)

This usually indicates:
  - Wildcard repos: '*' matched too many repositories
  - Wildcard log groups: '*' matched too many log groups

Recommendation: Be more specific in source configuration

evidence collect --dry-run

Testing control coverage...

CC6.1 - Logical Access Controls
  ✓ GitHub: Org 2FA enforcement
  ✓ AWS: IAM password policy
  ✗ Google Workspace: 2SV enforcement (source not configured)

CC6.6 - Access Removal/Modification
  ✓ GitHub: CODEOWNERS file
  ✗ Google Workspace: Admin roles (source not configured)

CC7.2 - Change Management
  ✓ GitHub: Branch protection
  ✓ AWS: CloudTrail status
  ✓ AWS: CloudWatch retention

Control Coverage:
  - CC6.1: Partial (2/3 sources)
  - CC6.6: Partial (1/2 sources)
  - CC7.2: Complete (3/3 sources)

⚠ Warning: Some controls have partial coverage
  Recommendation: Configure google_workspace source for complete coverage

{
  "two_factor_requirement_enabled": true  // ✅ Must be true
}

{
  "MinimumPasswordLength": 14,  // ✅ Must be >= 12
  "RequireSymbols": true,        // ✅ Must be true
  "RequireNumbers": true,        // ✅ Must be true
  "RequireUppercaseCharacters": true,  // ✅ Must be true
  "RequireLowercaseCharacters": true   // ✅ Must be true
}

Evaluating CC6.1...
  ✓ GitHub 2FA: enabled
  ✓ AWS password length: 14 >= 12
  ✓ AWS password complexity: all requirements met

✓ CC6.1: Pass

{
  "required_pull_request_reviews": {
    "required_approving_review_count": 2  // ✅ Must be >= 1
  },
  "required_status_checks": {
    "strict": true,  // ✅ Must be true
    "contexts": ["ci/tests"]  // ✅ Must have at least one
  }
}

{
  "IsLogging": true,  // ✅ Must be true
  "LatestDeliveryAttemptSucceeded": "2026-01-09T12:30:00Z"  // ✅ Must be recent
}

Evaluating CC7.2...
  ✓ GitHub branch protection: 2 required reviewers
  ✓ GitHub status checks: enabled, 1 check required
  ✓ AWS CloudTrail: logging active
  ✓ AWS CloudTrail: last delivery 2 minutes ago

✓ CC7.2: Pass

# evidence.yaml
policy:
  rules:
    - name: require-codeowners
      control: CC6.6
      source: github
      condition: |
        artifacts['codeowners'].exists == true

    - name: minimum-reviewers
      control: CC7.2
      source: github
      condition: |
        artifacts['branch_protection'].required_approving_review_count >= 3

    - name: cloudtrail-encryption
      control: CC7.2
      source: aws
      condition: |
        artifacts['cloudtrail_config'].KmsKeyId != null

Evaluating custom policies...
  ✓ require-codeowners: Pass (23/25 repos)
  ✗ minimum-reviewers: Fail (12/25 repos have < 3 reviewers)
  ✓ cloudtrail-encryption: Pass

Custom Policy: Partial Pass (2/3 rules)

# evidence.yaml (development only!)
policy:
  bypass:
    - scope_validation  # Skip scope checks
    - size_validation   # Skip size limits
    - content_validation  # Skip forbidden content detection

⚠ WARNING: Policy bypass enabled

The following validations are disabled:
  - scope_validation
  - size_validation
  - content_validation

This is ONLY for debugging. Never use in production.
Bundles created with policy bypass may not be compliant.

{
  "timestamp": "2026-01-09T12:35:00Z",
  "event": "policy_evaluation",
  "stage": "pre_collection",
  "validations": [
    {
      "rule": "configuration_schema",
      "result": "pass"
    },
    {
      "rule": "github_token_scopes",
      "result": "pass",
      "scopes": ["repo:read", "read:org"]
    },
    {
      "rule": "signing_key_permissions",
      "result": "pass",
      "permissions": "600"
    }
  ]
}

# Test configuration and coverage
evidence collect --dry-run

# Review output for warnings
# Fix any issues before actual collection

⚠ Warning: Branch protection not configured for repository: acme/sandbox

# Validate configuration
evidence collect --dry-run

# Test actual collection (small scope first)
evidence collect

# Verify bundle
evidence verify evidence-bundle-*.tar.gz

✗ Configuration validation failed
  - sources.github.org: required field missing

✗ Forbidden content detected
File: sources/github/secrets.json
Pattern: AWS access key

⚠ CC6.1: Partial coverage (1/3 sources)