Overview¶
CodeGraph generates a comprehensive compliance report for GOST R 56939-2024 (“Software Development Security Requirements”), evaluating all 25 processes defined in the standard. The report aggregates artifacts from CPG analysis, SARIF reports, configuration files, test results, git history, and threat models into a single structured document suitable for FSTEK audits.
Key capabilities:
- Automatic artifact collection from 11 CodeGraph subsystems
- Evaluation of all 25 GOST processes with FULL/PARTIAL/GAP/N/A status
- Traceability matrix linking requirements to code, tests, findings, and fixes
- Three output formats: Markdown, JSON, GOST auditor template
- Bilingual output (Russian and English)
- History tracking with delta comparison between assessments
- SQLite-based compliance store for trend analysis
Architecture¶
ArtifactCollector ──> ProcessEvaluator ──> ReportRenderer
│ │ │
CPG, SARIF, git, 25 process evals Markdown / JSON / GOST
config, tests, (specialized or
threat model default scoring)
│ │
TraceabilityMatrix ComplianceStore
CWE -> code -> SQLite history
test -> finding delta tracking
Components¶
| Component | Module | Purpose |
|---|---|---|
| ArtifactCollector | src/compliance/gost_56939/artifact_collector.py |
Collects evidence from all subsystems |
| ProcessEvaluator | src/compliance/gost_56939/process_evaluator.py |
Evaluates 25 processes against collected artifacts |
| ReportRenderer | src/compliance/gost_56939/report_renderer.py |
Renders reports in Markdown, JSON, GOST template |
| ComplianceStore | src/compliance/gost_56939/compliance_store.py |
SQLite history with delta tracking |
| TraceabilityMatrix | src/compliance/gost_56939/traceability.py |
Maps CWE requirements to code, tests, findings |
| ComplianceGostConfig | src/config/unified_config.py |
Configuration (search paths, overrides, history) |
GOST Processes¶
All 25 processes from Section 5 of GOST R 56939-2024:
| # | Process | Type | CodeGraph Coverage |
|---|---|---|---|
| 5.1 | Process Planning | organizational | N/A (manual) |
| 5.2 | Staff Training | organizational | N/A (manual) |
| 5.3 | Security Requirements | mixed | Partial |
| 5.4 | Configuration Management | automated | Git, changelog |
| 5.5 | Defect Management | mixed | Partial |
| 5.6 | Software Architecture | automated | CPG modules/deps |
| 5.7 | Threat Modeling | automated | STRIDE model |
| 5.8 | Coding Standards | automated | 190 YAML rules |
| 5.9 | Code Review | automated | Review pipeline |
| 5.10 | Static Analysis | automated | SARIF, GoCPG |
| 5.11 | Dynamic Analysis | external | Gap |
| 5.12 | Secure Build | mixed | Partial |
| 5.13 | Build Environment Security | mixed | Partial |
| 5.14 | Access Control | automated | RBAC module |
| 5.15 | Secret Security | automated | DLP module |
| 5.16 | Composition Analysis | external | Gap |
| 5.17 | Supply Chain | external | Gap |
| 5.18 | Functional Testing | mixed | Test suite |
| 5.19 | Non-functional Testing | mixed | Partial |
| 5.20 | Release Security | mixed | Approval engine |
| 5.21 | Secure Delivery | automated | Docker, CI/CD |
| 5.22 | Support | organizational | N/A (manual) |
| 5.23 | Vulnerability Response | mixed | Partial |
| 5.24 | Vulnerability Search | automated | Hypothesis system |
| 5.25 | Decommission | organizational | N/A (manual) |
Process Types¶
- automated — fully evaluated by CodeGraph artifact analysis
- organizational — requires manual assessment (marked N/A by default)
- mixed — partially automated, some manual input needed
- external — requires external tooling integration
CLI Usage¶
Generate Full Report¶
# Markdown report (default)
python -m src.cli compliance gost-56939
# JSON output
python -m src.cli compliance gost-56939 --format json
# GOST auditor template
python -m src.cli compliance gost-56939 --format gost --language ru
# With traceability matrix
python -m src.cli compliance gost-56939 --include-traceability
# Save to file and history
python -m src.cli compliance gost-56939 --output report.md --save-history
# English output
python -m src.cli compliance gost-56939 --language en
Artifact Checklist¶
# All processes
python -m src.cli compliance checklist
# Specific processes
python -m src.cli compliance checklist --process 5.7,5.10
# JSON format
python -m src.cli compliance checklist --format json
History and Delta¶
# View assessment history
python -m src.cli compliance history --project myproject
# Compare two assessments
python -m src.cli compliance delta --old abc123 --new def456
Traceability Matrix¶
# Markdown format
python -m src.cli compliance traceability
# JSON format
python -m src.cli compliance traceability --format json --output trace.json
API Endpoints¶
All endpoints are under /api/v1/compliance/gost-56939/.
| Method | Path | Description |
|---|---|---|
| GET | /{project_id} |
Full compliance report |
| GET | /{project_id}/checklist |
Artifact checklist |
| GET | /{project_id}/traceability |
Traceability matrix |
| GET | /{project_id}/history |
Assessment history |
| GET | /{project_id}/export?format=gost |
Export in specified format |
| GET | /{project_id}/delta?old=ID&new=ID |
Delta between assessments |
| POST | /{project_id}/evaluate |
Trigger evaluation |
Example: Get Report¶
curl http://localhost:8000/api/v1/compliance/gost-56939/myproject
Response:
{
"project_name": "myproject",
"compliance_score": 52.4,
"gost_standard": "GOST R 56939-2024",
"summary": {"full": 8, "partial": 5, "gap": 8, "n_a": 4},
"processes": [...]
}
MCP Tool¶
codegraph_compliance_gost(
action="evaluate", # evaluate | checklist | traceability | history | delta
format="markdown", # markdown | json | gost
language="ru", # ru | en
process_filter="", # comma-separated process IDs
include_traceability=false,
report_id_old="", # for delta action
report_id_new="" # for delta action
)
Configuration¶
# config.yaml
compliance:
gost_56939:
enabled: true
auto_evaluate_on_audit: true
store_history: true
history_db_path: "data/compliance_history.sqlite"
organizational_processes_status: "n_a"
sarif_search_paths: ["data/", "reports/"]
manual_overrides: {} # e.g., "5.1": "partial"
Manual Overrides¶
For organizational processes that require manual assessment, set overrides:
compliance:
gost_56939:
manual_overrides:
"5.1": "partial" # Planning documented
"5.2": "full" # Training completed
"5.22": "partial" # Support processes defined
Compliance Score¶
The compliance score is calculated as:
- FULL = 1.0 point
- PARTIAL = 0.5 points
- GAP = 0 points
- N/A = excluded from calculation
Formula: score = sum(points) / count(applicable) * 100%
Traceability Matrix¶
The traceability matrix links:
- CWE requirements to code locations (from SARIF and CPG pattern findings)
- Code locations to test files (by naming convention, e.g.,
test_sql_injection.pylinks to CWE-89) - Findings to fix references (git commit hashes)
Each entry has a status: covered (code + tests), partial (code or tests only), uncovered.
Specialized Evaluators¶
CodeGraph includes 25 specialized evaluators — one for each GOST process:
Automated Evaluators (10)¶
These evaluators assess compliance programmatically by examining CPG data, SARIF reports, configuration files, and project structure:
| Evaluator | Process | Evidence Sources |
|---|---|---|
| ConfigManagementEvaluator | 5.4 | Git VCS, changelog, project registry |
| ArchitectureEvaluator | 5.6 | CPG database (modules, dependencies) |
| ThreatModelEvaluator | 5.7 | STRIDE model, attack surface, research targets |
| CodingStandardsEvaluator | 5.8 | YAML rules (190+), linter configs |
| CodeReviewEvaluator | 5.9 | Review pipeline module |
| StaticAnalysisEvaluator | 5.10 | GoCPG config, tool inventory, SARIF reports |
| AccessControlEvaluator | 5.14 | RBAC module, auth configuration |
| SecretsManagementEvaluator | 5.15 | DLP module, secret scanning |
| SecureDeliveryEvaluator | 5.21 | Dockerfile, CI/CD pipeline |
| VulnerabilitySearchEvaluator | 5.24 | Hypothesis system (58 CWE, 27 CAPEC) |
Organizational/Mixed/External Evaluators (15)¶
These evaluators handle processes requiring manual assessment or external tooling. They support manual_overrides from configuration:
| Evaluator | Process | Type |
|---|---|---|
| PlanningEvaluator | 5.1 | organizational |
| TrainingEvaluator | 5.2 | organizational |
| SecurityRequirementsEvaluator | 5.3 | mixed |
| DefectManagementEvaluator | 5.5 | mixed |
| DynamicAnalysisEvaluator | 5.11 | external |
| SecureBuildEvaluator | 5.12 | mixed |
| BuildEnvSecurityEvaluator | 5.13 | mixed |
| CompositionAnalysisEvaluator | 5.16 | external |
| SupplyChainEvaluator | 5.17 | external |
| FunctionalTestingEvaluator | 5.18 | mixed |
| NonFunctionalTestingEvaluator | 5.19 | mixed |
| ReleaseSecurityEvaluator | 5.20 | mixed |
| SupportEvaluator | 5.22 | organizational |
| VulnerabilityResponseEvaluator | 5.23 | mixed |
| DecommissioningEvaluator | 5.25 | organizational |
Evaluator Registry¶
All evaluators are auto-loaded via build_evaluator_registry():
from src.compliance.gost_56939.evaluators import build_evaluator_registry
registry = build_evaluator_registry(manual_overrides={"5.1": "partial"})
# Returns Dict[str, BaseProcessEvaluator] with all 25 evaluators
Output Formats¶
| Format | Method | Use Case |
|---|---|---|
| Markdown | to_markdown(report, language) |
CLI output, documentation |
| JSON | to_json(report) |
API responses, MCP tool |
| HTML | to_html(report, language) |
PDF conversion, web display |
| GOST Template | to_gost_template(report, language) |
Auditor checklist |
Integration with Audit Composite¶
When auto_evaluate_on_audit: true, the compliance report is automatically generated during audit composite execution and included in audit metrics under compliance_gost_summary.
Delta Tracking¶
The compliance store tracks assessment history in SQLite. Delta reports compare two assessments:
- improved — process status upgraded (e.g., GAP → PARTIAL)
- degraded — process status downgraded
- unchanged — no change in status
# Compare two reports
python -m src.cli compliance delta --old <report_id_1> --new <report_id_2>
The delta helps track compliance progress over time and identify regressions before audits.