Verify Required Evidence in SARIF

Type: Rule
ID: required-sarif-evidence
Source: v2/rules/sarif/evidence-exists.yaml
Rego Source: evidence-exists.rego
Labels: SARIF

Verify all required evidence exists as defined by the SARIF policy.

note

This rule requires SARIF Evidence. See here for more details.

tip

Evidence IS required for this rule and will fail if missing.

tip

Signed Evidence for this rule IS NOT required by default but is recommended.

warning

Rule requires evaluation with a target or an asset input. Without one, it will be disabled unless the --all-evidence flag is provided.

Usage example

uses: sarif/evidence-exists@v2

Mitigation

By confirming that all required evidence exists, this rule guarantees that the outputs from various security scans (such as vulnerability assessments, configuration checks, and static analysis) are fully represented as evidence.

Evidence Requirements

Field	Value
signed	False
content_body_type	generic
target_type	data
predicate_type	http://docs.oasis-open.org/sarif/sarif/2.1.0

Usage example​

Mitigation​

Evidence Requirements​

Usage example

Mitigation

Evidence Requirements