Struct SecurityPolicyControl 

pub struct SecurityPolicyControl;

Validates that a security policy (SECURITY.md) exists with a responsible disclosure process.

Maps to SOC2 CC7.3 / CC7.4: incident response communication. ASPM signal — a published security policy enables external reporters to disclose vulnerabilities responsibly, reducing exposure window.

Note: In enterprise settings (SOC2 preset), this control’s violations are treated as “review” rather than “fail” because enterprises typically maintain disclosure processes in internal portals, not repo-level files. In OSS (OSS preset), this is strict — SECURITY.md is the primary channel.

Trait Implementations

impl Control for SecurityPolicyControl

fn id(&self) -> ControlId

Returns the unique identifier for this control.

fn description(&self) -> &'static str

Human-readable description for SARIF rule output.

fn evaluate(&self, evidence: &EvidenceBundle) -> Vec<ControlFinding>

Evaluates the evidence bundle and returns one finding per subject.

fn tsc_criteria(&self) -> &'static [&'static str]

SOC2 Trust Services Criteria this control maps to (e.g., &[“CC6.1”, “CC8.1”]). Returns empty slice for controls not mapped to SOC2.