Compliance frameworks 18 catalogs mapped to machine-checkable predicates against collected evidence.
What digger does
Every framework lives as a YAML catalog under
digger/compliance/frameworks/<name>.yaml. Each control may
declare zero or more checks — small predicates digger can evaluate
automatically against the artifacts and findings already in the evidence
store. The assessor reduces multiple checks per control to one of:
| Status | Meaning |
|---|---|
| pass | All checks evaluated to true |
| fail | All checks failed |
| partial | Mixture — some checks pass, some fail |
| manual | Control lists manual: true or has no machine-checkable predicate |
Controls that require human review (policy, training, business continuity)
are honestly reported as manual. Don't trust any tool that
claims to mechanically score them.
Bundled frameworks
| ID | Title | Origin |
|---|---|---|
nist_800_53 | NIST SP 800-53 Rev. 5 | NIST |
nist_800_171 | NIST SP 800-171 Rev. 3 (CUI protection) | NIST |
nist_csf_2 | NIST Cybersecurity Framework 2.0 | NIST |
cmmc_2_0 | Cybersecurity Maturity Model Certification 2.0 | DoD |
fedramp_high | FedRAMP High Baseline | GSA |
icd_503 | ICD 503 — IC IT systems security risk management | ODNI |
iso_27001 | ISO/IEC 27001:2022 (Annex A) | ISO |
iso_27037 | ISO/IEC 27037:2012 — digital evidence handling | ISO |
cis_macos | CIS Apple macOS Sonoma Benchmark | CIS |
cis_linux | CIS Distribution-Independent Linux Benchmark | CIS |
cis_windows | CIS Microsoft Windows 11 Enterprise Benchmark | CIS |
disa_stig_general | DISA STIG — General OS (cross-platform subset) | DISA |
pci_dss_4_0 | PCI DSS 4.0.1 | PCI SSC |
hipaa_security_rule | HIPAA Security Rule (45 CFR 160 / 164) | HHS / OCR |
gdpr | EU GDPR 2016/679 (Articles 25, 32, 33, 35) | EU |
nis2 | EU NIS 2 Directive (2022/2555) | EU |
essential_eight | ACSC Essential Eight | ACSC / ASD |
soc2_tsc | SOC 2 Trust Services Criteria (CC §6-7) | AICPA |
Most catalogs are high-impact subsets of the source documents, focused on endpoint-observable controls. To extend any of them, drop more entries into the YAML — no code change required.
Predicate vocabulary
A control can declare any combination of these checks:
- artifact_present
- Pass iff at least one artifact from the named collector exists. e.g.
artifact_present: linux.audit - artifact_count_min
- Pass iff the named collector produced ≥ N artifacts. e.g.
artifact_count_min: {processes: 10} - no_finding_with_detector
- Pass iff no finding was emitted by the named detector. e.g.
no_finding_with_detector: c2 - no_finding_with_mitre
- Pass iff no finding carries the given MITRE technique prefix.
- no_finding_above
- Pass iff no finding exceeds the named severity. e.g.
no_finding_above: medium - data_contains
- Regex search over a collector's artifacts. e.g. matching
"FileVault is On"inmacos.security_posture'sfdesetup-statusraw output. - manual: true
- Explicitly flag this control as requiring human review.
Running assessments
$ digger compliance list
cis_linux CIS Distribution-Independent Linux Benchmark
cis_macos CIS Apple macOS 14.x Sonoma Benchmark
...
$ digger compliance assess --case-dir ./case-1
NIST_SP_800_53_Rev5 (Rev 5.1.1) — 22 controls
pass: 10
fail: 2
manual: 8
partial: 2
ISO_IEC_27001_2022 (2022) — 11 controls
pass: 5
fail: 2
manual: 4
ACSC_Essential_Eight (November 2023) — 8 controls
pass: 5
manual: 3
reports written to ./case-1/compliance/One report per framework is written: <framework>.html,
.md, and .json (use --format html /
--format json / --format all to control which).
Cross-framework mapping
Each catalog can declare mapping_to_other_frameworks — a
hash of (target framework → control-id → list of equivalent control ids).
For example:
mapping_to_other_frameworks:
CMMC_2_0:
AU-2: ["AU.L2-3.3.1"]
AC-6: ["AC.L2-3.1.5"]
ISO_27001:
AU-2: ["A.8.15"]
SC-13: ["A.8.24"]This lets findings raised against one framework be referenced from another without duplicating the rule logic.
Adding a framework
Drop a YAML file under digger/compliance/frameworks/. Minimum
shape:
id: MY_FRAMEWORK
title: My Internal Baseline
version: "1.0"
publisher: Acme Security
url: https://internal.example/baseline
description: |
Internal baseline derived from NIST CSF and CIS Linux.
controls:
- id: BASELINE-01
title: All accounts have unique IDs
family: identity
severity_if_failed: high
checks:
- artifact_present: users
- id: BASELINE-02
title: No active C2 indicators
family: integrity
severity_if_failed: critical
checks:
- no_finding_with_detector: c2
- id: BASELINE-03
title: Documented IR plan
family: process
severity_if_failed: medium
checks: [{manual: true}]Next run of digger compliance list will include it. No code
to write.