Tracking non-compliant components and services #455
prabhu
started this conversation in
Ideas, Proposals, RFCs
Replies: 1 comment
-
That's the exact process that I would follow. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
When a project uses a component or a service that might be non-compliant or not-approved,`it is essential to capture a justification for the use. This would help track all exemptions and reasoning in the organization's risk registry for GRC.
Based on my limited understanding of 1.6, below are some ways to achieve this:
definitions.standards
to describe a compliance-as-code.declarations.claims.reasoning
andcounterEvidence
could be used to mark the non-compliant components and services.annotations.text
could be used for those organizations that do not have a codified definition for standards. However, an enum similar to vulnerabilities.analysis.justification would help with categorization.Are there other implementation ideas worth exploring?
Beta Was this translation helpful? Give feedback.
All reactions