Kensa (検査) - Compliance testing and OSCAL/NIST mapping service
Kensa is Phase 3 of the integrity attestation framework. It runs compliance tests (InSpec, native Rust checks, custom scripts), maps results to OSCAL and NIST 800-53 controls, and produces the compliance hash that combines with the master untested signature to form the final secure signature.
Architecture
Runners (InSpec, Rust checks, Custom) → AssessmentResult
↓
Mapping (OSCAL, NIST 800-53)
↓
ComplianceResult → compliance_hash
↓
Store (persist to JSON) + API (REST, GraphQL)
Compliance Hash
The compliance hash includes:
- Hash of the testing framework binary (verification method attestation)
- Hash of the control catalog (what was tested against)
- Hashes of individual test profile packages
- Hash of the test results themselves
This makes it impossible to produce a valid compliance hash without using known-good, attested verification methods.