generated from coulomb/repo-seed
Add challenge and exclusion review handling
This commit is contained in:
@@ -250,6 +250,33 @@ Expectation sets mark known posture as expected. Waiver sets mark approved,
|
||||
time-bounded exceptions. Both are applied after findings are generated, and the
|
||||
assessment package records policy summary counts.
|
||||
|
||||
## Challenges And Authority Exclusions
|
||||
|
||||
Assessment profiles may also reference challenge and exclusion sets:
|
||||
|
||||
```json
|
||||
{
|
||||
"challenges_ref": "profiles/challenges/example.json",
|
||||
"exclusions_ref": "profiles/exclusions/example.json"
|
||||
}
|
||||
```
|
||||
|
||||
Challenge sets validate against `docs/schemas/challenge-set.schema.json`.
|
||||
Exclusion sets validate against `docs/schemas/exclusion-set.schema.json`.
|
||||
Records can match findings by requirement refs, check refs, evidence refs,
|
||||
result refs, or classification refs. They also carry owner, review status,
|
||||
rationale, authority source refs, review dates, optional expiry, native IDs,
|
||||
and free-form metadata.
|
||||
|
||||
Use challenges when an extension author or assessment team believes a finding
|
||||
needs review because a check is invalid, a native harness result is disputed, or
|
||||
a mapping is wrong. Use exclusions when an authority or program explicitly
|
||||
removes a requirement, check, or result from the assessment scope. The core
|
||||
preserves these distinctions in findings, evidence review annotations,
|
||||
assessment packages, reports, and retained summaries, but default gate semantics
|
||||
still count the underlying finding as unexpected unless it is separately
|
||||
expected or waived.
|
||||
|
||||
## Python Runner Contract
|
||||
|
||||
A Python runner receives one context object and returns one result object.
|
||||
|
||||
Reference in New Issue
Block a user