ComplyTime logo ComplyTime Get Started

Overview

A lightweight compliance runtime that pulls Gemara policies from an OCI registry and executes scans via providers.

Architecture#

┌──────────────────────────────────────────────────────────────────┐
│  Host                                                            │
│                                                                  │
│  ┌──────────────┐      complyctl get   ┌───────────────────────┐ │
│  │ OCI Registry │ ◄──────────────────  │                       │ │
│  │              │  ───────────────────►│    complyctl CLI      │ │
│  │  Gemara      │   catalog + policy   │                       │ │
│  │  policies    │   layers (YAML)      │ init / get / list     │ │
│  └──────────────┘                      │ generate / scan       │ │
│                                        │ doctor / providers    │ │
│                                        │ version               │ │
│                                        └─────┬────────┬────────┘ │
│                                              │        │          │
│                                 ┌────────────┘        │          │
│                                 │                     │          │
│                                 ▼                     ▼          │
│                       ┌──────────────┐    ┌────────────────┐     │
│                       │    Cache     │    │   Providers    │     │
│                       │              │    │                │     │
│                       │ ~/.complytime│    │ ~/.complytime/ │     │
│                       │  /policies/  │    │  providers/    │     │
│                       │  state.json  │    │                │     │
│                       │              │    │ complyctl-     │     │
│                       │ OCI Layout   │    │  provider-*    │     │
│                       │ per policy   │    │                │     │
│                       └──────────────┘    │ gRPC: Describe │     │
│                                           │ Generate, Scan │     │
│  ┌──────────────┐                         └────────────────┘     │
│  │  Workspace   │                                                │
│  │              │  complytime.yaml defines:                      │
│  │ ./complytime │   - registry URL                               │
│  │   .yaml      │   - policy IDs + versions                      │
│  │              │   - targets + variables                        │
│  │ ./.comply-   │                                                │
│  │   time/scan/ │                                                │
│  │  (output)    │  Scan output (EvaluationLog, OSCAL,            │
│  └──────────────┘   SARIF, Markdown) written to workspace        │
└──────────────────────────────────────────────────────────────────┘

Components:

ComponentDescription
OCI RegistryRemote store for Gemara policies. Supports two OCI manifest layouts: split-layer (distinct media types per artifact) and Gemara bundle format (single artifact media type with annotation-based differentiation). Both formats are auto-detected and resolved transparently.
WorkspaceCurrent directory containing complytime.yaml. Defines which registry, policies, and targets to use. Scan output lands in ./.complytime/scan/.
CacheLocal OCI Layout stores under ~/.complytime/policies/. One store per policy ID. state.json tracks digests for incremental sync.
ProvidersStandalone executables in ~/.complytime/providers/ matching the complyctl-provider-* naming convention. Communicate via gRPC (Describe, Generate, Scan). Evaluator ID derived from filename.
CLIOrchestrates the workflow: fetch policies, resolve dependency graphs, dispatch to providers, produce compliance reports.

Documentation#

CLI Commands#

CommandDescription
initCreate a workspace configuration file
getFetch new/modified policies from OCI registry and update cache
listList cached Gemara policies
generateGenerate policy graph and invoke providers
scanScan targets and produce compliance reports
doctorRun pre-flight diagnostics on the workspace
providersList discovered scanning providers and their health status
versionPrint version

Global flag: --debug / -d — output debug logs.

init#

complyctl init

Creates a workspace configuration file (complytime.yaml). When one already exists, validates and runs get automatically.

get#

complyctl get

Performs incremental sync from the OCI registry defined in complytime.yaml. Only downloads new or modified content. Uses Docker credential helpers for authentication — if docker login works, complyctl get works.

list#

complyctl list
complyctl list --policy-id nist-800-53-r5
FlagDescription
--policy-idFilter output to a single policy

generate#

complyctl generate --policy-id nist-800-53-r5
FlagShortDescription
--policy-id-pPolicy ID to generate (required)

Resolves the policy dependency graph from cache, extracts assessment configurations, applies parameter overrides from complytime.yaml, and dispatches to the matching provider via Generate RPC.

scan#

## Scan A Specific Target (policy Inferred If Target Has Exactly One)
complyctl scan prod

## Scan A Specific Target For A Specific Policy
complyctl scan prod --policy-id nist-800-53-r5

## Scan All Targets For A Policy
complyctl scan --policy-id nist-800-53-r5

## With Output Format
complyctl scan prod --format oscal
complyctl scan --policy-id nist-800-53-r5 --format pretty
complyctl scan --policy-id nist-800-53-r5 --format sarif

## Export Evidence To Beacon Collector (with Optional Format Report)
COMPLYTIME_EXPORT_ENABLED=true complyctl scan --policy-id nist-800-53-r5 --format sarif
Argument / FlagShortDescription
[target]Optional target ID to scope the scan (from complytime.yaml)
--policy-id-pPolicy ID to scan (required when no target is given, or target has multiple policies)
--format-fOutput format: oscal, pretty, sarif

When a target is specified and references exactly one policy, --policy-id is inferred. At least one of [target] or --policy-id is required.

Environment VariableDescription
COMPLYTIME_EXPORT_ENABLEDSet to true to export evidence to a Beacon collector after scan. Requires a collector section in complytime.yaml.

Output written to ./.complytime/scan/.

doctor#

complyctl doctor
complyctl doctor --verbose

Validates workspace configuration, provider health, cache integrity, and provider variable requirements. Use --verbose for per-provider variable detail.

providers#

complyctl providers

Lists discovered scanning providers with their evaluator ID, path, health status, and version.

Workspace Configuration#

## Complytime.yaml
policies:
  - url: registry.example.com/policies/nist-800-53-r5@v1.0.0
    id: nist
  - url: registry.example.com/policies/cis-benchmark
variables:
  output_dir: /tmp/scan-results
targets:
  - id: production-cluster
    policies:
      - nist
    variables:
      kubeconfig: /path/to/kubeconfig
      api_token: ${MY_API_TOKEN}
## Collector: # Optional ��� Needed When Complytime_export_enabled Is Set
## Endpoint: "collector.example.com:4317"
## Auth:
## Client-id: "${beacon_client_id}"
## Client-secret: "${beacon_client_secret}"
## Token-endpoint: "https://sso.example.com/realms/comply/protocol/openid-connect/token"
FieldDescription
policies[].urlFull OCI reference (registry + repository + optional @version)
policies[].idOptional shortname; if omitted, derived from last path segment of URL
variablesWorkspace-scoped constants passed to providers via Generate RPC
targets[].idScan target identifier
targets[].policiesList of effective policy IDs to evaluate against this target
targets[].variablesProvider-specific key-value pairs; supports ${VAR} env substitution
collector.endpointBeacon collector OTLP endpoint (host:port)
collector.authOptional OIDC client credentials for collector authentication

Contributing#

Interested in writing a provider? See the Provider Guide.

Edit this page on GitHub
Prev
Overview
Next
Overview