Skip to content

feat: multi-source Layer4 implementation (for discussion) #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

feat: multi-source Layer4 implementation (for discussion) #174

wants to merge 5 commits into from

Conversation

@jpower432
Copy link
Contributor

@jpower432 jpower432 commented Nov 4, 2025
edited
Loading

Description

This PR introduces support for multiple assessment evaluators in Layer 4 Evaluation Plans, enabling tools and manual methods to execute assessment procedures with configurable conflict resolution strategies when multiple evaluators provide results. This add a new directory spec to documentation how to use the Layer 4 schema for finding determination (how it could be used by Layer 5 tools). This PR precedes Layer 5 to ensure Layer 5 tools can form an opinion about the returned result.

Schema Changes

Schema Changes Made

  • No schema changes
  • Layer 1 schema (schemas/layer-1.cue) changes
  • Layer 2 schema (schemas/layer-2.cue) changes
  • Layer 3 schema (schemas/layer-3.cue) changes
  • Layer 4 schema (schemas/layer-4.cue) changes

Schema Change Details

Fields Added:
Evaluators - Introducing an Evaluator concept that can represent both automated tools and manual review processes.
Confidence Level - Allow Layer4 tools to attach confidence level to a specific result in the AssessmentLog
EvaluationDocument - Adds a new top-level object to represent Layer 4 EvaluationDocument to ensure the pattern is consistent for each layer.
ConflictResolution - Providing three distinct strategies that user can choose based on their security posture and tool maturity

Field Modified:
AssessmentPlan - Add optional conflict resolution between procedures
Evaluation Plan - Added required evaluators
AssessmentLog - Added optional confidence level
AssessmentProcedures - Added required evaluator mapping

Field Removed:
None

Consumer Impact: The new evaluator fields in Evaluation Plan are requirement making this change not backward compatible.

Testing

  • Unit tests added/updated
  • Manual testing performed
  • Test data updated (if applicable)

Run cue vet -d "#EvaluationDocument" -s schemas/layer-4.cue layer4/test-data/multi-tool-plan.yaml

Related Issues

Partially resolves #170
Closes #175

Reviewer Hints

The new multi-tool-plan.yaml test data demonstrates configuring multiple executors with different roles and conflict resolution strategies:

executors:
  - id: "primary-scanner"
    type: Automated
    authoritative: true
  - id: "experimental-tool"
    type: Automated
    
conflict_resolution:
  strategy: AuthoritativeConfirmation

Assisted by: Cursor AI

@jpower432 jpower432 marked this pull request as ready for review November 12, 2025 01:11
@jpower432 jpower432 requested a review from a team as a code owner November 12, 2025 01:11
@jpower432
Copy link
Contributor Author

jpower432 commented Nov 14, 2025

Documenting some feedback discussed with @eddie-knight:

  • Adding confidence scores to AssessmentLog to allow a tool express confidence in a particular result. Related to [Question] Should we support confidence levels in the Layer 4 EvaluationLog? #175.
  • Explore confidence scores for the ExecutorMapping on how much a tool is trusted performing a particular procedure
  • Layer4 is breaking a pattern because it has two top level objects (Plan and Log). Create a top-level document that would serve an input into Layer5.

@jpower432 jpower432 force-pushed the feat/layer4-tools branch 3 times, most recently from 8221cff to 98eae49 Compare November 15, 2025 04:02
@jpower432 jpower432 linked an issue Nov 19, 2025 that may be closed by this pull request
[Question] Should we support confidence levels in the Layer 4 EvaluationLog? #175
Open
eddie-knight
eddie-knight reviewed Nov 19, 2025
View reviewed changes
@jpower432 jpower432 marked this pull request as draft November 20, 2025 22:01
@jpower432
Copy link
Contributor Author

jpower432 commented Nov 20, 2025

Temporarily converting to draft while working through feedback

@jpower432
feat: adds support for multi-source EvaluationDocument workflows
5d43348 
Layer 4 currently breaks the pattern established by
the other layers. This add a top-level documentation
that can be passed into Layer 5 for full context to
execute an enforcement action.

Introduce support for multiple assessment executors
(tools/manual methods) that can execute assessment procedures,
with configurable conflict resolution strategies when multiple executors provide results.

Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: add confidence to Layer4 EvaluationLog
5e8acd2 
Adding confidence to EvaluationLog allows an evaluation to
return a confidence level in the result based on inputs

Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: add loaders for EvaluationPlans
f7f9fbc 
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
chore: updates testdata for new layer4 schema changes
f8cc1d1 
Assisted by: Cursor Agent
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
docs: add a specification for finding determination
5644994 
The finding specificiation details how to use the EvaluationPlan
and deconfliction strategies to determine findings for Layer5
action.

Assisted by: Cursor Agent
Signed-off-by: Jennifer Power <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eddie-knight eddie-knight eddie-knight left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Question] Should we support confidence levels in the Layer 4 EvaluationLog? Enhance multi-source evaluation support in Layer 4/5

2 participants

@jpower432 @eddie-knight