Draft

Profile Registry

Browse the reference types, profiles, and overlays published under the evidencepack/ namespace. Use these as starting points or reference implementations.

Types define artifact categories with metadata schemas. Use these to declare what kind of evidence an artifact represents.

evidencepack/soc2-report@v1

SOC 2 Report

SOC 2 Type I or Type II attestation report from an accredited auditor covering security, availability, processing integrity, confidentiality, or privacy trust services criteria.

application/pdf

Required metadata

report_type type_i | type_ii
report_period_start date
report_period_end date
auditor string

Optional metadata

trust_services_criteria array
opinion unqualified | qualified | ...
exceptions_noted boolean
exceptions_count integer
cuec_count integer
subservice_organizations array
carve_out_method boolean

evidencepack/pentest-report@v1

Penetration Test Report

Summary or full report from a penetration test engagement conducted by a qualified security assessor.

application/pdf application/json

Required metadata

test_date date
assessor string

Optional metadata

test_end_date date
methodology OWASP | PTES | ...
scope array
test_type array
findings_summary object
remediation_summary object
retest_performed boolean
retest_date date
executive_summary string
critical_findings array

evidencepack/cloud-config@v1

Cloud Provider Configuration

4 examples

Configuration export or security posture snapshot from a cloud provider (AWS, GCP, Azure, etc.).

application/json application/pdf

Required metadata

provider aws | gcp | azure | ...

Optional metadata

account_id string
region string
export_date date
services_covered array

Conformance Examples

aws-security-posture AWS account security configuration covering IAM, S3, and EC2
Input (API Response)
{
  "account_id": "123456789012",
  "region": "us-east-1",
  "iam": { "mfa_enabled": true, "password_policy": { "min_length": 14 } },
  "s3": { "public_buckets": 0, "encryption_default": true },
  "ec2": { "imdsv2_required": true }
}
Output (Artifact Metadata)
{
  "provider": "aws",
  "account_id": "123456789012",
  "region": "us-east-1",
  "export_date": "2025-01-15",
  "services_covered": ["IAM", "S3", "EC2"]
}
gcp-project GCP project configuration with Cloud IAM and GKE
Input (API Response)
{
  "project_id": "my-project-123",
  "iam": { "service_accounts": 12, "custom_roles": 3 },
  "gke": { "clusters": [{ "name": "prod", "private": true }] }
}
Output (Artifact Metadata)
{
  "provider": "gcp",
  "account_id": "my-project-123",
  "export_date": "2025-01-15",
  "services_covered": ["IAM", "GKE"]
}
aws-multi-region AWS account spanning multiple regions with cross-region replication
Input (API Response)
{
  "account_id": "123456789012",
  "regions": ["us-east-1", "us-west-2", "eu-west-1"],
  "s3": { "cross_region_replication": true },
  "rds": { "multi_az": true, "read_replicas": 2 }
}
Output (Artifact Metadata)
{
  "provider": "aws",
  "account_id": "123456789012",
  "region": "us-east-1,us-west-2,eu-west-1",
  "export_date": "2025-01-15",
  "services_covered": ["S3", "RDS"]
}
azure-subscription Azure subscription security configuration with Defender enabled
Input (API Response)
{
  "subscription_id": "a1b2c3d4-e5f6-7890",
  "defender": { "enabled": true, "tier": "standard" },
  "key_vault": { "soft_delete": true, "purge_protection": true }
}
Output (Artifact Metadata)
{
  "provider": "azure",
  "account_id": "a1b2c3d4-e5f6-7890",
  "export_date": "2025-01-15",
  "services_covered": ["Defender", "Key Vault"]
}

evidencepack/iam-summary@v1

IAM Security Posture

4 examples

Identity and access management security posture summary showing access controls and credential hygiene.

application/json application/pdf

Required metadata

source string

Optional metadata

export_date date
mfa_enforced boolean
unused_credentials_exist boolean
root_account_mfa boolean

Conformance Examples

aws-iam-basic AWS IAM configuration with MFA enabled and no stale credentials
Input (API Response)
{
  "account": "123456789012",
  "users": [
    { "name": "admin", "mfa": true, "last_used": "2025-01-14" }
  ],
  "credential_report": { "stale_count": 0 },
  "root": { "mfa_enabled": true }
}
Output (Artifact Metadata)
{
  "source": "aws-iam",
  "export_date": "2025-01-15",
  "mfa_enforced": true,
  "unused_credentials_exist": false,
  "root_account_mfa": true
}
aws-iam-stale-credentials AWS IAM with unused credentials older than 90 days
Input (API Response)
{
  "account": "123456789012",
  "credential_report": {
    "stale_count": 3,
    "stale_users": ["old-service", "former-dev", "test-user"]
  },
  "root": { "mfa_enabled": true }
}
Output (Artifact Metadata)
{
  "source": "aws-iam",
  "export_date": "2025-01-15",
  "mfa_enforced": true,
  "unused_credentials_exist": true,
  "root_account_mfa": true
}
aws-iam-no-root-mfa AWS IAM with root account missing MFA
Input (API Response)
{
  "account": "123456789012",
  "users": [
    { "name": "admin", "mfa": true }
  ],
  "credential_report": { "stale_count": 0 },
  "root": { "mfa_enabled": false, "last_used": "2024-12-01" }
}
Output (Artifact Metadata)
{
  "source": "aws-iam",
  "export_date": "2025-01-15",
  "mfa_enforced": true,
  "unused_credentials_exist": false,
  "root_account_mfa": false
}
gcp-iam-basic GCP IAM configuration with organization-wide MFA
Input (API Response)
{
  "org_id": "123456789",
  "org_policies": {
    "constraints/iam.allowedPolicyMemberDomains": ["example.com"]
  },
  "mfa_enforcement": { "enabled": true, "grace_period": 0 }
}
Output (Artifact Metadata)
{
  "source": "gcp-iam",
  "export_date": "2025-01-15",
  "mfa_enforced": true,
  "unused_credentials_exist": false
}

evidencepack/vcs-config@v1

Version Control Configuration

4 examples

Version control system security configuration showing branch protection and security features.

application/json application/pdf

Required metadata

platform github | gitlab | ...

Optional metadata

export_date date
branch_protection_enabled boolean
required_reviews_enabled boolean
secret_scanning_enabled boolean
dependency_scanning_enabled boolean

Conformance Examples

github-org-mixed GitHub organization with mixed branch protection across repositories
Input (API Response)
{
  "org": "acme-corp",
  "repos": [
    { "name": "api", "branch_protection": true, "required_reviews": 2 },
    { "name": "docs", "branch_protection": false }
  ],
  "secret_scanning": { "enabled": true, "repos_enabled": 5 }
}
Output (Artifact Metadata)
{
  "platform": "github",
  "export_date": "2025-01-15",
  "branch_protection_enabled": true,
  "required_reviews_enabled": true,
  "secret_scanning_enabled": true
}
github-org-all-protected GitHub organization with all repositories fully protected
Input (API Response)
{
  "org": "secure-corp",
  "repos": [
    { "name": "core", "branch_protection": true, "required_reviews": 2 },
    { "name": "infra", "branch_protection": true, "required_reviews": 2 }
  ],
  "secret_scanning": { "enabled": true, "repos_enabled": 2 },
  "dependabot": { "enabled": true }
}
Output (Artifact Metadata)
{
  "platform": "github",
  "export_date": "2025-01-15",
  "branch_protection_enabled": true,
  "required_reviews_enabled": true,
  "secret_scanning_enabled": true,
  "dependency_scanning_enabled": true
}
github-org-empty GitHub organization with no repositories
Input (API Response)
{
  "org": "new-startup",
  "repos": [],
  "secret_scanning": { "enabled": true, "repos_enabled": 0 }
}
Output (Artifact Metadata)
{
  "platform": "github",
  "export_date": "2025-01-15",
  "branch_protection_enabled": false,
  "required_reviews_enabled": false,
  "secret_scanning_enabled": true
}
gitlab-group GitLab group with merge request approvals and protected branches
Input (API Response)
{
  "group": "acme/platform",
  "projects": [
    { "name": "backend", "protected_branches": ["main"], "approvals_required": 1 }
  ],
  "security_dashboard": { "enabled": true }
}
Output (Artifact Metadata)
{
  "platform": "gitlab",
  "export_date": "2025-01-15",
  "branch_protection_enabled": true,
  "required_reviews_enabled": true,
  "secret_scanning_enabled": true
}

evidencepack/idp-config@v1

Identity Provider Configuration

4 examples

Identity provider configuration summary showing authentication policies and MFA settings.

application/json application/pdf

Required metadata

provider okta | azure_ad | ...

Optional metadata

export_date date
mfa_policy required | optional | conditional
mfa_enabled boolean
sso_enabled boolean

Conformance Examples

okta-mfa-required Okta organization with MFA required for all users
Input (API Response)
{
  "org_id": "00o1234567890",
  "org_name": "acme-corp",
  "policies": [
    { "name": "Default", "mfa": "REQUIRED", "factors": ["okta_verify", "sms"] }
  ],
  "sso_integrations": 12
}
Output (Artifact Metadata)
{
  "provider": "okta",
  "export_date": "2025-01-15",
  "mfa_policy": "required",
  "mfa_enabled": true,
  "sso_enabled": true
}
azure-ad-conditional Azure AD with conditional access policies for MFA
Input (API Response)
{
  "tenant_id": "a1b2c3d4-e5f6-7890",
  "conditional_access": [
    { "name": "Require MFA for admins", "state": "enabled" },
    { "name": "Require MFA outside office", "state": "enabled" }
  ],
  "enterprise_apps": 45
}
Output (Artifact Metadata)
{
  "provider": "azure_ad",
  "export_date": "2025-01-15",
  "mfa_policy": "conditional",
  "mfa_enabled": true,
  "sso_enabled": true
}
okta-mfa-optional Okta organization with MFA optional (not enforced)
Input (API Response)
{
  "org_id": "00o9876543210",
  "org_name": "startup-inc",
  "policies": [
    { "name": "Default", "mfa": "OPTIONAL", "factors": ["okta_verify"] }
  ],
  "sso_integrations": 3
}
Output (Artifact Metadata)
{
  "provider": "okta",
  "export_date": "2025-01-15",
  "mfa_policy": "optional",
  "mfa_enabled": true,
  "sso_enabled": true
}
google-workspace-sso Google Workspace with SSO and MFA enabled
Input (API Response)
{
  "customer_id": "C01abc123",
  "domain": "example.com",
  "security_settings": {
    "2sv_enforcement": "ENFORCED",
    "sso_profile": { "enabled": true, "idp": "internal" }
  }
}
Output (Artifact Metadata)
{
  "provider": "google_workspace",
  "export_date": "2025-01-15",
  "mfa_policy": "required",
  "mfa_enabled": true,
  "sso_enabled": true
}

evidencepack/vulnerability-scan@v1

Vulnerability Scan Report

4 examples

Results from automated vulnerability scanning of infrastructure, applications, or containers.

application/pdf application/json text/csv

Required metadata

scan_date date
scanner string

Optional metadata

scan_type infrastructure | web | ...
scope array
findings_summary object

Conformance Examples

trivy-container-scan Trivy container vulnerability scan with mixed severity findings
Input (API Response)
{
  "ArtifactName": "myapp:latest",
  "Results": [
    {
      "Vulnerabilities": [
        { "Severity": "CRITICAL", "VulnerabilityID": "CVE-2024-1234" },
        { "Severity": "HIGH", "VulnerabilityID": "CVE-2024-5678" },
        { "Severity": "MEDIUM", "VulnerabilityID": "CVE-2024-9012" }
      ]
    }
  ]
}
Output (Artifact Metadata)
{
  "scan_date": "2025-01-15",
  "scanner": "Trivy",
  "scan_type": "container",
  "scope": ["myapp:latest"],
  "findings_summary": {
    "critical": 1,
    "high": 1,
    "medium": 1,
    "low": 0
  }
}
trivy-no-vulnerabilities Trivy container scan with no vulnerabilities found
Input (API Response)
{
  "ArtifactName": "distroless/static:latest",
  "Results": [
    { "Vulnerabilities": null }
  ]
}
Output (Artifact Metadata)
{
  "scan_date": "2025-01-15",
  "scanner": "Trivy",
  "scan_type": "container",
  "scope": ["distroless/static:latest"],
  "findings_summary": {
    "critical": 0,
    "high": 0,
    "medium": 0,
    "low": 0
  }
}
trivy-critical-only Trivy scan with only critical vulnerabilities
Input (API Response)
{
  "ArtifactName": "legacy-app:v1.0",
  "Results": [
    {
      "Vulnerabilities": [
        { "Severity": "CRITICAL", "VulnerabilityID": "CVE-2024-0001" },
        { "Severity": "CRITICAL", "VulnerabilityID": "CVE-2024-0002" }
      ]
    }
  ]
}
Output (Artifact Metadata)
{
  "scan_date": "2025-01-15",
  "scanner": "Trivy",
  "scan_type": "container",
  "scope": ["legacy-app:v1.0"],
  "findings_summary": {
    "critical": 2,
    "high": 0,
    "medium": 0,
    "low": 0
  }
}
nessus-infrastructure Nessus infrastructure scan across network range
Input (API Response)
{
  "scan_name": "Q1 Infrastructure Scan",
  "targets": "10.0.0.0/24",
  "hosts_scanned": 254,
  "vulnerabilities": {
    "critical": 0, "high": 5, "medium": 23, "low": 45, "info": 120
  }
}
Output (Artifact Metadata)
{
  "scan_date": "2025-01-15",
  "scanner": "Nessus",
  "scan_type": "infrastructure",
  "scope": ["10.0.0.0/24"],
  "findings_summary": {
    "critical": 0,
    "high": 5,
    "medium": 23,
    "low": 45,
    "informational": 120
  }
}

evidencepack/security-policy@v1

Security Policy Document

Organizational security policy document covering information security controls, acceptable use, or related governance.

application/pdf text/markdown

Required metadata

policy_name string

Optional metadata

version string
effective_date date
review_date date
owner string
policy_type info_security | acceptable_use | ...

evidencepack/baa-agreement@v1

Business Associate Agreement

HIPAA Business Associate Agreement establishing responsibilities for protected health information (PHI).

application/pdf

Required metadata

effective_date date
covered_entity string
business_associate string

evidencepack/architecture-diagram@v1

System Architecture Diagram

Visual documentation of system architecture showing components, data flows, and security boundaries.

application/pdf image/png image/svg+xml

Required metadata

diagram_type system | network | ...

Optional metadata

version string
last_updated date
author string
systems_covered array

Profiles declare what artifacts a pack must contain. Choose a profile that matches your compliance needs.

evidencepack/baseline@v1

Baseline

Profile

Minimal base profile for overlay-only compositions. Use when no other base profile fits.

Requirements

No requirements. Apply overlays to add requirements.

evidencepack/soc2-basic@v1

SOC 2 Basic

Profile

Minimum evidence for a basic SOC 2 security review. Requires a SOC 2 Type II report and penetration test results.

Requirements

Required evidencepack/soc2-report@v1
365 days
Required evidencepack/pentest-report@v1
365 days
Optional evidencepack/security-policy@v1

evidencepack/vendor-review@v1

Vendor Security Review

Profile

Standard evidence package for third-party vendor security assessments. Covers compliance attestation, security testing, and key security controls.

Requirements

Required evidencepack/soc2-report@v1
365 days
Required evidencepack/pentest-report@v1
365 days
Optional evidencepack/vulnerability-scan@v1
90 days
Optional evidencepack/security-policy@v1
Optional evidencepack/architecture-diagram@v1

Overlays add or modify requirements on top of a base profile. Stack multiple overlays to compose requirements.

evidencepack/hipaa-overlay@v1

HIPAA Overlay

Overlay

Additional requirements for HIPAA compliance. Apply on top of any base profile to add healthcare-specific evidence requirements.

Adds requirements

Required evidencepack/baa-agreement@v1
+ NEW

Modifies requirements

evidencepack/pentest-report@v1
365 days 180 days
evidencepack/vulnerability-scan@v1
min: 1 30 days

evidencepack/cloud-posture-overlay@v1

Cloud Posture Overlay

Overlay

Adds cloud infrastructure, identity, and development security requirements. Apply to any base profile to require technical cloud evidence.

Adds requirements

Required evidencepack/cloud-config@v1
90 days
Required evidencepack/iam-summary@v1
90 days
Required evidencepack/vcs-config@v1
90 days
Required evidencepack/idp-config@v1
90 days

Example: Composing overlays

Stack multiple overlays on a base profile to build exactly the requirements you need:

{
  "profile": "evidencepack/vendor-review@v1",
  "overlays": [
    "evidencepack/cloud-posture-overlay@v1",
    "evidencepack/hipaa-overlay@v1"
  ]
}

This gives you: SOC 2 + pentest (180 days) + cloud/IAM/VCS/IdP + BAA + required vuln scans (30 days).

Related

Profiles specification Semantic extensibility JSON definitions on GitHub