A lightweight compliance runtime that pulls Gemara policies from an OCI registry and executes scans via providers.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Host β
β β
β ββββββββββββββββ complyctl get βββββββββββββββββββββββββ β
β β OCI Registry β βββββββββββββββββββ β β β
β β β ββββββββββββββββββββΊβ complyctl CLI β β
β β Gemara β catalog + policy β β β
β β policies β layers (YAML) β init / get / list β β
β ββββββββββββββββ β generate / scan β β
β β doctor / providers β β
β β version β β
β βββββββ¬βββββββββ¬βββββββββ β
β β β β
β ββββββββββββββ β β
β β β β
β βΌ βΌ β
β ββββββββββββββββ ββββββββββββββββββ β
β β Cache β β Providers β β
β β β β β β
β β ~/.complytimeβ β ~/.complytime/ β β
β β /policies/ β β providers/ β β
β β state.json β β β β
β β β β complyctl- β β
β β OCI Layout β β provider-* β β
β β per policy β β β β
β ββββββββββββββββ β gRPC: Describe β β
β β Generate, Scan β β
β ββββββββββββββββ ββββββββββββββββββ β
β β Workspace β β
β β β .complytime/complytime.yaml defines: β
β β .complytime/ β - registry URL β
β β complytime β - policy IDs + versions β
β β .yaml β - targets + variables β
β β scan/ β β
β β (output) β Scan output (EvaluationLog, OSCAL, β
β ββββββββββββββββ SARIF, Markdown) written to workspace β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Components:
| Component | Description |
|---|---|
| OCI Registry | Remote store for Gemara policies. Supports two OCI manifest layouts: split-layer (distinct media types per artifact) and Gemara bundle format (single artifact media type with annotation-based differentiation). Both formats are auto-detected and resolved transparently. |
| Workspace | Resolved workspace directory containing .complytime/complytime.yaml (or legacy complytime.yaml at root). Configurable via --workspace flag or COMPLYTIME_WORKSPACE env var. Defines which registry, policies, and targets to use. Scan output lands in .complytime/scan/. |
| Cache | Local OCI Layout stores under ~/.complytime/policies/. One store per policy ID. state.json tracks digests for incremental sync. |
| Providers | Standalone executables in ~/.complytime/providers/ matching the complyctl-provider-* naming convention. Communicate via gRPC (Describe, Generate, Scan). Evaluator ID derived from filename. |
| CLI | Orchestrates the workflow: fetch policies, resolve dependency graphs, dispatch to providers, produce compliance reports. |
| Command | Description |
|---|---|
init |
Create a workspace configuration file |
get |
Fetch new/modified policies from OCI registry and update cache |
list |
List cached Gemara policies |
generate |
Generate policy graph and invoke providers |
scan |
Scan targets and produce compliance reports |
doctor |
Run pre-flight diagnostics on the workspace |
providers |
List discovered scanning providers and their health status |
version |
Print version |
Global flags:
--debug/-dβ output debug logs--workspace/-wβ workspace directory (project root containing.complytime/, defaults to current directory)
Use the --workspace flag to run commands from any directory:
# Run from a different directory
complyctl scan --workspace ~/projects/myapp
# Using relative path
complyctl scan --workspace ../myapp
# Using environment variable
export COMPLYTIME_WORKSPACE=~/projects/myapp
complyctl scancomplyctl organizes all workspace-specific files under .complytime/ to keep your repository root clean and avoid configuration conflicts.
.complytime/complytime.yaml- Configuration file (policies, targets, variables).complytime/scan/- Scan output reports.complytime/complyctl.log- Debug log file.complytime/generation/- Generation state (per-policy freshness tracking)
Note: For backward compatibility, complyctl still supports complytime.yaml at the repository root, but this location is deprecated. Move your config to .complytime/complytime.yaml:
mkdir -p .complytime
mv complytime.yaml .complytime/complytime.yamlcomplyctl initCreates a workspace configuration file (.complytime/complytime.yaml). Errors if one already exists.
complyctl getPerforms incremental sync from the OCI registry defined in complytime.yaml. Only downloads new or modified content. Uses Docker credential helpers for authentication β if docker login works, complyctl get works.
complyctl list
complyctl list --policy-id nist-800-53-r5| Flag | Description |
|---|---|
--policy-id |
Filter output to a single policy |
complyctl generate --policy-id nist-800-53-r5| Flag | Short | Description |
|---|---|---|
--policy-id |
-p |
Policy ID to generate (required) |
Resolves the policy dependency graph from cache, extracts assessment configurations, applies parameter overrides from complytime.yaml, and dispatches to the matching provider via Generate RPC.
# Scan a specific target (policy inferred if target has exactly one)
complyctl scan prod
# Scan a specific target for a specific policy
complyctl scan prod --policy-id nist-800-53-r5
# Scan all targets for a policy
complyctl scan --policy-id nist-800-53-r5
# With output format
complyctl scan prod --format oscal
complyctl scan --policy-id nist-800-53-r5 --format pretty
complyctl scan --policy-id nist-800-53-r5 --format sarif
| Argument / Flag | Short | Description |
|---|---|---|
[target] |
Optional target ID to scope the scan (from complytime.yaml) |
|
--policy-id |
-p |
Policy ID to scan (required when no target is given, or target has multiple policies) |
--format |
-f |
Output format: oscal, pretty, sarif |
When a target is specified and references exactly one policy, --policy-id is inferred.
At least one of [target] or --policy-id is required.
Output written to ./.complytime/scan/.
| Exit Code | Meaning |
|---|---|
0 |
Scan completed -- all targets evaluated (findings, if any, are in the report) |
| non-zero | Operational error -- one or more targets could not be evaluated, or zero requirements assessed (partial results written before exit) |
Policy violations (failed requirements) do not cause a non-zero exit. Operational errors (missing tools, clone failures, auth errors, zero requirements assessed) do.
complyctl doctor
complyctl doctor --verboseValidates workspace configuration, provider health, cache integrity, and provider variable requirements. Use --verbose for per-provider variable detail.
complyctl providersLists discovered scanning providers with their evaluator ID, path, health status, and version.
# .complytime/complytime.yaml
policies:
- url: registry.example.com/policies/nist-800-53-r5:v1.0.0
id: nist
- url: registry.example.com/policies/cis-benchmark
variables:
output_dir: /tmp/scan-results
targets:
- id: production-cluster
policies:
- nist
variables:
kubeconfig: /path/to/kubeconfig
api_token: ${MY_API_TOKEN}| Field | Description |
|---|---|
policies[].url |
Full OCI reference (registry + repository + optional :tag) |
policies[].id |
Optional shortname; if omitted, derived from last path segment of URL |
variables |
Workspace-scoped constants passed to providers via Generate RPC |
targets[].id |
Scan target identifier |
targets[].policies |
List of effective policy IDs to evaluate against this target |
targets[].variables |
Provider-specific key-value pairs; supports ${VAR} env substitution |
Interested in writing a provider? See the Provider Guide.