HDF Schemas

Appearance

HDF Comparison

Structured comparison between two or more HDF security assessment documents. Supports temporal, baseline, fleet, and multi-source comparison modes.

Versionv3.1.0
$idhttps://mitre.github.io/hdf-libs/schemas/hdf-comparison/v3.1.0
Downloadhdf-comparison.schema.json

Properties

FieldTypeRequiredDescription
formatVersion"1.0.0"yesSchema version for this comparison format.
comparisonModeComparison_ModeyesThe mode of comparison being performed.
timestampstring (date-time)noWhen this comparison was performed.
generatorGeneratornoInformation about the tool that generated this comparison.
sourcesSource[]yesThe source documents being compared. At least two sources are required.
matchingMatching_ConfignoConfiguration for how requirements were matched across sources.
summaryComparison_SummaryyesSummary statistics for the overall comparison.
baselineDiffsBaseline_Diff[]noComparison of baselines between sources.
requirementDiffsRequirement_Diff[]yesDetailed comparison of individual requirements between sources.
componentDiffsComponent_Diff[]noComparison of components between two system documents. Used in systemDrift mode.
packageDiffsPackage_Diff[]noComparison of packages between two SBOMs. Used in systemDrift mode for SBOM comparison.
systemRefstring (uri-reference)noURI identifying the system being compared in systemDrift mode.
driftRequirement_Diff[]noExternal/metadata changes separate from status changes (Terraform pattern).
annotationsMap<string, Annotation>noMap of annotation IDs to annotation objects, providing context or action items for requirement diffs.
integrityIntegritynoCryptographic integrity information for verifying this comparison document.
extensionsMap<string, any>noReserved for tool-specific data not defined in the HDF standard.

Embedded Primitives

These types are embedded from shared primitive schemas.

https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.1.0

Evaluated_Baseline

Information on a baseline that was evaluated, including any findings.

FieldTypeRequiredDescription
dependsDependency[]noThe set of dependencies this baseline depends on.
parentBaselinestringnoThe name of the parent baseline if this is a dependency of another.
descriptionstringnoThe description - should be more detailed than the summary.
integrityIntegritynoCryptographic integrity information for verifying this baseline has not been tampered with.
originalChecksumChecksumnoSHA-256 checksum of the original baseline definition file (before execution). This is an immutable reference to the baseline as defined, used to detect tampering with baseline requirements or metadata.
resultsChecksumChecksumnoSHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs). Used to detect tampering with test results. Compare with currentChecksum to verify amendment integrity.
statusMessagestringnoAn explanation of the baseline status. Example: why it was skipped, failed to load, or any other status details.
requirementsEvaluated_Requirement[]yesThe set of requirements including any findings. A baseline must have at least one requirement.
groupsRequirement_Group[]noA set of descriptions for the requirement groups.
inputsInput[]noTyped inputs used to parameterize this baseline at execution time. See the Input primitive for the full schema.
extensionsMap<string, any>noReserved for tool-specific baseline metadata not defined in the HDF standard.

Evaluated_Requirement

A requirement that has been evaluated, including any findings.

FieldTypeRequiredDescription
descriptionsRequirement_Description[]yesArray of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'.
severitySeveritynoExplicit severity rating. Typically derived from impact score but provided explicitly for clarity.
sourceLocationSource_LocationnoThe explicit location of the requirement within the source code.
resultsRequirement_Result[]yesThe set of all tests within the requirement and their results.
statusOverridesStatus_Override[]noChronological history of all overrides applied to this requirement. Overrides are intentional changes to the compliance status and/or impact score (waivers, attestations, false positives, risk adjustments). Most recent override should be first in array. Preserves full audit trail.
poamsPOAM[]noPlan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change effectiveStatus - they track the work being done to address a failure. Separate from statusOverrides which DO change status.
effectiveStatusResult_StatusnoThe current effective compliance status of this requirement after applying the most recent non-expired override with a status field, or computed from results (worst-wins) if no status-bearing overrides exist.
effectiveImpactnumbernoThe current effective impact score (0.0–1.0) after applying the most recent non-expired override with an impact field. Absent when no impact overrides apply; consumers should use the requirement's impact field in that case.
dispositionOverride_TypenoThe type of the most recent non-expired override governing this requirement. Indicates why the requirement is in its current state (e.g., waiver, falsePositive, riskAdjustment). Absent when no overrides apply.
evidenceEvidence[]noSupporting evidence for this requirement's findings, such as screenshots, code samples, or log excerpts.
Example
json
{
  "$comment": "Passing requirement — no overrides, no disposition",
  "id": "SV-230222",
  "title": "RHEL 9 must use SSH protocol version 2",
  "impact": 0.7,
  "tags": {
    "nist": [
      "SC-8"
    ]
  },
  "descriptions": [
    {
      "label": "default",
      "data": "SSH must use protocol version 2."
    }
  ],
  "results": [
    {
      "status": "passed",
      "codeDesc": "sshd_config Protocol is expected to eq 2",
      "startTime": "2026-01-15T10:00:00Z"
    }
  ],
  "effectiveStatus": "passed"
}

amendments/v3.1.0

Override_Type

The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system. 'falsePositive': scanner incorrectly identified a finding — for compliance scans (STIG, CIS), the check actually passes, so status is typically set to 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to this system, so status is typically set to 'notApplicable'. The disposition field on the requirement distinguishes false positives from genuinely not-applicable findings. 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk Adjustment); does not change pass/fail status, only impact via the impact field. 'operationalRequirement': deviation required by operational constraints (FedRAMP Operational Requirement); the finding cannot be remediated because the system requires the affected functionality. Remains an open risk.

Impact_Override

An override to the requirement's impact score. The prior impact is the original result value or the preceding override in the chain.

FieldTypeRequiredDescription
valuenumberyesThe overridden impact score (0.0–1.0).

Standalone_Override

A standalone amendment that modifies a requirement's compliance status and/or impact score. At least one of status or impact must be set. Extends the inline Override concept with requirementId and baselineRef for use outside of results documents.

FieldTypeRequiredDescription
typeOverride_TypeyesThe type of amendment.
requirementIdstringyesThe ID of the requirement being amended. Must match a requirement ID in the referenced baseline.
baselineRefstringnoName of the baseline containing the requirement. Required when the system has multiple baselines with potentially overlapping requirement IDs.
statusResult_StatusnoThe new status this amendment sets. Optional when only impact is being overridden.
impactImpact_OverridenoOverride to the requirement's impact score. At least one of status or impact must be set.
reasonstringyesJustification for this amendment.
appliedByIdentityyesIdentity of who applied this amendment.
appliedAtstring (date-time)yesWhen this amendment was applied. ISO 8601 format.
expiresAtstring (date-time)yesWhen this amendment expires and must be reviewed. No permanent amendments. ISO 8601 format.
evidenceEvidence[]noSupporting evidence (screenshots, logs, URLs, documents).
signatureSignaturenoDigital signature for non-repudiation.
previousChecksumChecksumnoChecksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null for the first amendment.
milestonesMilestone[]noRemediation milestones (primarily for POA&M type amendments).
inheritedFromstring (uuid)nocomponentId of the local component that provides this control. Set when the provider is in the same system. Omit for external or cross-system providers; the reason field explains the source. Primarily used with type 'inherited'.
componentRefstring (uuid)nocomponentId of the component this amendment is scoped to. When set, the amendment only applies to the specified component. When omitted, the amendment applies system-wide.
Example
json
{
  "type": "waiver",
  "requirementId": "SV-257777",
  "baselineRef": "RHEL9-STIG",
  "status": "passed",
  "reason": "Compensating control: session timeout set to 15 min",
  "appliedBy": {
    "type": "email",
    "identifier": "ao@agency.gov"
  },
  "appliedAt": "2026-01-15T10:00:00Z",
  "expiresAt": "2026-06-30T00:00:00Z",
  "evidence": [
    {
      "type": "url",
      "data": "https://jira.agency.gov/CYBER-4521",
      "description": "ISSM approval with compensating control documentation"
    }
  ]
}

common/v3.1.0

Hash_Algorithm

Supported cryptographic hash algorithms for checksums and integrity verification.

Requirement_Group

Describes a group of requirements, such as those defined in a single file.

FieldTypeRequiredDescription
idstringyesThe unique identifier for the group. Example: the relative path to the file specifying the requirements.
titlestringnoThe title of the group - should be human readable.
requirementsstring[]yesThe set of requirements as specified by their ids in this group. Example: 'SV-238196'.

Dependency

A dependency for a baseline. Can include relative paths or URLs for where to find the dependency.

FieldTypeRequiredDescription
namestringnoThe name or assigned alias.
urlstring (uri-reference)noThe address of the dependency.
branchstringnoThe branch name for a git repo.
pathstringnoThe relative path if the dependency is locally available.
statusMessagestringnoThe reason for the status if it is 'failed' or 'skipped'.
statusstringnoThe status. Should be: 'loaded', 'failed', or 'skipped'.
gitstring (uri)noThe location of the git repo. Example: 'https://github.com/my-org/ubuntu-22.04-stig-baseline.git'.
supermarketstringnoThe 'user/profilename' attribute for a Supermarket server.
compliancestringnoThe 'user/profilename' attribute for an Automate server.
Example
json
{
  "name": "ubuntu-22.04-baseline",
  "url": "https://github.com/my-org/ubuntu-22.04-stig-baseline",
  "git": "https://github.com/my-org/ubuntu-22.04-stig-baseline.git",
  "branch": "main",
  "status": "loaded"
}

Reference

A reference to an external document.

Source_Location

The explicit location of a requirement within source code.

FieldTypeRequiredDescription
refstringnoPath to the file that this requirement originates from.
linenumbernoThe line on which this requirement is located.
Example
json
{
  "ref": "controls/SV-260476.rb",
  "line": 1
}

Supported_Platform

A supported platform target. Example: the platform name being 'ubuntu'.

FieldTypeRequiredDescription
platformFamilystringnoThe platform family. Example: 'redhat'.
platformNamestringnoThe platform name - can include wildcards. Example: 'debian'.
platformstringnoThe location of the platform. Can be: 'os', 'aws', 'azure', or 'gcp'.
releasestringnoThe release of the platform. Example: '20.04' for 'ubuntu'.

Checksum

Cryptographic checksum for baseline integrity verification.

FieldTypeRequiredDescription
algorithmHash_AlgorithmyesThe hash algorithm used for the checksum.
valuestringyesThe checksum value.
Example
json
{
  "algorithm": "sha256",
  "value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}

Identity

Represents an identity that performed an action, such as capturing evidence or applying an override.

FieldTypeRequiredDescription
identifierstringyesThe identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'.
type"email" | "username" | "system" | "simple" | "other"yesThe type of identifier. Use 'email' for email addresses, 'username' for user accounts, 'system' for automated systems, 'simple' for basic string identifiers without additional classification, or 'other' for custom identity systems.
descriptionstringnoOptional description of the identity or identity system, particularly useful when type is 'other'.
Example
json
{
  "type": "email",
  "identifier": "admin@example.com"
}

Evidence

Supporting evidence for a finding or override, such as screenshots, code samples, log excerpts, or URLs.

FieldTypeRequiredDescription
type"screenshot" | "code" | "log" | "url" | "file" | "other"yesThe type of evidence being provided.
datastringyesThe evidence content. For screenshots/files: base64-encoded data or URL. For code/logs: the raw text. For URLs: the URL string.
descriptionstringnoHuman-readable description of what this evidence shows.
mimeTypestringnoMIME type of the evidence. Example: 'image/png', 'text/plain', 'application/json'.
encodingstringnoEncoding used for the data. Example: 'base64', 'utf-8'.
sizenumbernoSize of the evidence data in bytes.
capturedAtstring (date-time)noTimestamp when this evidence was captured. ISO 8601 format.
capturedByIdentitynoIdentity of who or what captured this evidence.
Example
json
{
  "type": "screenshot",
  "data": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
  "description": "Screenshot showing firewall configuration with required ports blocked",
  "mimeType": "image/png",
  "encoding": "base64",
  "size": 95,
  "capturedAt": "2025-12-14T10:30:00Z",
  "capturedBy": {
    "identifier": "security-auditor@example.com",
    "type": "email"
  }
}

Remediation

Reference to automated remediation resources for implementing security controls. Points to external automation content like Ansible playbooks, Terraform scripts, or vendor-provided remediation tools.

FieldTypeRequiredDescription
uristring (uri)yesURI pointing to automated remediation resources (Ansible playbooks, Terraform scripts, etc.). Examples: GitHub repository, DISA STIG Supplemental Automation Content, vendor-provided scripts.
checksumChecksumnoOptional cryptographic checksum for verifying the integrity of remediation resources fetched from the URI. Recommended for security when referencing external automation scripts.
Example
json
{
  "uri": "https://github.com/ansible-lockdown/RHEL9-STIG/tree/main/tasks"
}

Verification_Method

Verification method containing the public key needed to verify a digital signature. Supports multiple key formats including JWK (for RSA, EC), PEM, and Base58.

FieldTypeRequiredDescription
typestringyesThe type of verification method. Example: 'JsonWebKey2020', 'RsaVerificationKey2018', 'Ed25519VerificationKey2020'.
controllerstringyesThe entity that controls this verification method. Can be a DID, URI, or other identifier.
publicKeyJwkMap<string, any>noPublic key in JSON Web Key format.
publicKeyPemstringnoPublic key in PEM format. Example: '-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----'.
publicKeyBase58stringnoPublic key in Base58 format, commonly used with Ed25519 keys.

Milestone

A milestone or task within a POA&M remediation plan.

FieldTypeRequiredDescription
descriptionstringyesDescription of this milestone or task.
estimatedCompletionstring (date-time)yesEstimated completion date. ISO 8601 format.
status"pending" | "inProgress" | "completed"yesCurrent status of this milestone.
completedAtstring (date-time)noActual completion timestamp. ISO 8601 format.
completedByIdentitynoIdentity of who completed this milestone.

Signature

A digital signature following W3C Data Integrity Proofs pattern. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other cryptographic signing methods via JWK, PEM, or Base58 key formats.

FieldTypeRequiredDescription
typestringyesThe signature suite type. Example: 'JsonWebSignature2020', 'RsaSignature2018', 'Ed25519Signature2020'.
createdstring (date-time)yesWhen the signature was created. ISO 8601 format.
creatorIdentityyesThe identity that created this signature.
signatureValuestringyesThe base64-encoded or base58-encoded signature value.
proofPurposestringyesThe purpose of this signature. Example: 'attestation', 'authentication', 'assertionMethod'.
verificationMethodVerification_MethodyesThe verification method containing the public key for signature verification.
noncestringnoRandom value to prevent replay attacks.
challengestringnoChallenge value from the verifier, used in challenge-response authentication.
domainstringnoDomain restriction for the signature, prevents cross-domain replay attacks.
Example
json
{
  "type": "JsonWebSignature2020",
  "created": "2025-12-14T10:00:00Z",
  "creator": {
    "identifier": "security-team@example.com",
    "type": "email"
  },
  "signatureValue": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEYCIQDvKbtLRhWAa",
  "proofPurpose": "attestation",
  "verificationMethod": {
    "type": "JsonWebKey2020",
    "controller": "did:example:123456789abcdefghi",
    "publicKeyJwk": {
      "kty": "RSA",
      "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtV",
      "e": "AQAB"
    }
  }
}

Baseline_Metadata

Shared metadata fields for baselines. Used in both standalone baseline documents and evaluated baseline results.

FieldTypeRequiredDescription
namestringnoThe name - must be unique.
titlestringnoThe title - should be human readable.
maintainerstringnoThe maintainer(s).
copyrightstringnoThe copyright holder(s).
copyrightEmailstringnoThe email address or other contact information of the copyright holder(s).
licensestringnoThe copyright license. Example: 'Apache-2.0'.
summarystringnoThe summary. Example: the Security Technical Implementation Guide (STIG) header.
versionstringnoThe version of the baseline.
supportsSupported_Platform[]noThe set of supported platform targets.
statusstringnoThe status. Example: 'loaded'.
labelsMap<string, string>noOptional key-value labels for flexible grouping. Well-known keys: system, component, environment, region, team. Values must be strings.
Example
json
{
  "name": "rhel-9-stig-baseline",
  "title": "Red Hat Enterprise Linux 9 STIG Baseline",
  "maintainer": "MITRE SAF Team",
  "copyright": "The MITRE Corporation",
  "copyrightEmail": "saf@mitre.org",
  "license": "Apache-2.0",
  "summary": "InSpec baseline for RHEL 9 STIG compliance",
  "version": "1.0.0",
  "supports": [
    {
      "platformName": "redhat",
      "platformFamily": "redhat",
      "release": "9"
    }
  ],
  "status": "loaded"
}

Requirement_Core

Core requirement fields shared between baseline requirements and evaluated requirements. Contains the fundamental requirement definition without assessment results.

FieldTypeRequiredDescription
idstringnoThe requirement identifier. Example: 'SV-238196'.
titlestringnoThe title - is nullable.
descriptionsobject[]noArray of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'.
impactnumbernoThe impactfulness or severity (0.0 to 1.0).
refsReference[]noThe set of references to external documents.
tagsMap<string, any>noA set of tags - usually metadata like CCI, STIG ID, severity.
codestringnoThe raw source code of the requirement. Set to null for manual-only requirements or requirements not yet implemented. Note that if this is an overlay, it does not include the underlying source code.
sourceLocationSource_LocationnoThe explicit location of the requirement within the source code.
Example
json
{
  "id": "SV-238196",
  "title": "The Ubuntu operating system must enforce password complexity",
  "impact": 0.5,
  "tags": {
    "nist": [
      "IA-5"
    ],
    "severity": "medium",
    "cci": [
      "CCI-000192"
    ]
  },
  "refs": [
    {
      "url": "https://public.cyber.mil/stigs/"
    }
  ],
  "descriptions": [
    {
      "label": "default",
      "data": "Use of a complex password helps to increase the time and resources required to compromise the password."
    },
    {
      "label": "check",
      "data": "Verify the value of 'minlen' in /etc/security/pwquality.conf."
    }
  ]
}

Severity

Severity rating for a requirement. Typically derived from the numeric impact score.

Cloud_Provider

Cloud service provider identifier.

comparison/v3.1.0

Requirement_State

SARIF-compatible vocabulary extended for security. 'new' = present only in new source, 'absent' = present only in old, 'unchanged' = same effective status, 'updated' = status changed (generic), 'fixed' = was failing now passing, 'regressed' = was passing now failing, 'moved' = reorganized same content, 'split'/'merged' = reserved for v1.1.

Change_Reason

The reason a requirement's state changed between sources.

Comparison_Mode

The mode of comparison. 'temporal' compares the same target over time. 'baseline' compares against a golden reference. 'fleet' compares across multiple systems. 'multiSource' compares outputs from different scanners. 'baselineEvolution' compares two baseline documents to detect requirement changes between versions. 'systemDrift' compares two system documents to detect component-level changes.

Source_Role

The role of a source document in the comparison.

Original_Format

The original format of the source document before conversion to HDF.

Match_Strategy

The strategy used to match requirements across sources. 'exactId' matches by identical IDs. 'mappedId' uses an ID mapping table. 'cciMatch'/'nistMatch' match by framework identifiers. 'fuzzyTitle'/'fuzzyContent' use text similarity.

Conflict_Resolution

How a conflict between multiple scanner results was resolved.

Annotation_Category

The category of an annotation attached to a comparison.

Field_Change

A single field-level change between two versions of a requirement.

FieldTypeRequiredDescription
op"add" | "remove" | "replace"yesThe type of change operation.
pathstringyesJSON Pointer path to the changed field.
oldValueanynoThe previous value of the field (for 'remove' and 'replace' operations).
newValueanynoThe new value of the field (for 'add' and 'replace' operations).

Source

A source document participating in the comparison.

FieldTypeRequiredDescription
roleSource_RoleyesThe role of this source in the comparison.
labelstringyesHuman-readable label for this source. Example: 'Before remediation scan'.
uristring (uri)noURI pointing to the source document.
originalFormatOriginal_FormatnoThe original format of the source document before conversion to HDF.
checksumChecksumnoCryptographic checksum of the source document for integrity verification.
assessmentTimestampstring (date-time)noWhen the source assessment was performed. ISO 8601 format.
toolToolnoThe security tool that produced the assessment data in this source.
componentsComponent[]noThe components assessed in this source.
baselineRefobjectnoReference to the baseline used in this source assessment.

Matching_Config

Configuration for how requirements are matched across sources.

FieldTypeRequiredDescription
primaryStrategyMatch_StrategyyesThe primary strategy used to match requirements across sources.
fallbackStrategiesMatch_Strategy[]noOrdered list of fallback strategies tried when the primary strategy fails to find a match.
minimumConfidencenumbernoMinimum confidence score (0-1) required to accept a match.
mappingTableUristring (uri)noURI pointing to an external mapping table used for ID translation.
fingerprintFieldsstring[]noFields used to compute a fingerprint for fuzzy matching.

State_Counts

Counts of requirements in each state.

FieldTypeRequiredDescription
fixedintegernoNumber of requirements that changed from failing to passing.
regressedintegernoNumber of requirements that changed from passing to failing.
newintegernoNumber of requirements present only in the new source.
absentintegernoNumber of requirements present only in the old source.
unchangedintegernoNumber of requirements with the same effective status.
updatedintegernoNumber of requirements with a generic status change.
movedintegernoNumber of requirements that were reorganized without content change.

Severity_Breakdown

Breakdown of state counts by severity level.

FieldTypeRequiredDescription
criticalState_CountsnoState counts for critical severity requirements.
highState_CountsnoState counts for high severity requirements.
mediumState_CountsnoState counts for medium severity requirements.
lowState_CountsnoState counts for low severity requirements.

Per_Source_Summary

Summary statistics for a single source in a multi-source comparison.

FieldTypeRequiredDescription
sourceIndexintegeryesZero-based index into the sources array identifying which source this summary is for.
labelstringyesHuman-readable label for this source.
fixedintegernoNumber of requirements that changed from failing to passing.
regressedintegernoNumber of requirements that changed from passing to failing.
newintegernoNumber of requirements present only in the new source.
absentintegernoNumber of requirements present only in the old source.
unchangedintegernoNumber of requirements with the same effective status.
updatedintegernoNumber of requirements with a generic status change.
movedintegernoNumber of requirements that were reorganized without content change.

Comparison_Summary

Summary statistics for the overall comparison.

FieldTypeRequiredDescription
totalintegeryesTotal number of unique requirements across all sources.
matchedCountintegeryesNumber of requirements successfully matched between sources.
unmatchedOldCountintegeryesNumber of requirements in the old source with no match in the new source.
unmatchedNewCountintegeryesNumber of requirements in the new source with no match in the old source.
newintegernoNumber of requirements present only in the new source.
absentintegernoNumber of requirements present only in the old source.
unchangedintegernoNumber of requirements with the same effective status.
updatedintegernoNumber of requirements with a generic status change.
fixedintegernoNumber of requirements that changed from failing to passing.
regressedintegernoNumber of requirements that changed from passing to failing.
movedintegernoNumber of requirements that were reorganized without content change.
oldCompliancePercentnumbernoCompliance percentage of the old source (0-100).
newCompliancePercentnumbernoCompliance percentage of the new source (0-100).
complianceDeltanumbernoChange in compliance percentage (new - old).
averageMatchConfidencenumbernoAverage confidence score across all requirement matches (0-1).
bySeveritySeverity_BreakdownnoState counts broken down by severity level.
perSourcePer_Source_Summary[]noSummary statistics for each individual source in a multi-source comparison.

Baseline_Diff

Comparison of a baseline between sources.

FieldTypeRequiredDescription
namestringyesName of the baseline being compared.
state"new" | "absent" | "unchanged" | "updated"yesThe state of this baseline in the comparison.
oldVersionstringnoVersion of the baseline in the old source.
newVersionstringnoVersion of the baseline in the new source.
mappingSourcestringnoThe source of any ID mapping used to correlate requirements across baseline versions.

Component_Diff

Comparison of a single component between two system document versions.

FieldTypeRequiredDescription
namestringyesComponent name used for matching across system versions.
state"new" | "absent" | "unchanged" | "updated"yesThe state of this component in the comparison.
beforeanynoComponent snapshot from the old system document.
afteranynoComponent snapshot from the new system document.
fieldChangesField_Change[]noDetailed field-level changes between the before and after component snapshots.

Package_Diff

Comparison of a single package between two SBOM versions, matched by purl.

FieldTypeRequiredDescription
purlstringyesPackage URL (purl) used as the identity key for matching across SBOMs.
namestringnoHuman-readable package name.
state"added" | "removed" | "updated" | "unchanged"yesThe state of this package: added (new in new SBOM), removed (absent from new SBOM), updated (version changed), unchanged.
oldVersionstringnoPackage version in the old SBOM.
newVersionstringnoPackage version in the new SBOM.
licensesstring[]noLicense identifiers for this package.

Scanner_Conflict

A conflict between scanner results for the same requirement.

FieldTypeRequiredDescription
fieldstringyesThe field where the conflict occurs.
valuesobject[]yesThe conflicting values from each source.
resolvedIndexintegernoIndex of the source whose value was chosen as the resolution.
resolutionConflict_ResolutionnoHow the conflict was resolved.

Annotation

An annotation attached to a comparison, providing context or action items.

FieldTypeRequiredDescription
labelstringyesHuman-readable label for this annotation.
descriptionstringnoDetailed description of the annotation.
categoryAnnotation_CategorynoThe category of this annotation.
needsConfirmationbooleannoWhether this annotation requires human confirmation before acting on it.

Requirement_Diff

A comparison of a single requirement between sources, including state, changes, and full before/after snapshots.

FieldTypeRequiredDescription
idstringyesThe canonical requirement identifier used for this diff.
stateRequirement_StateyesThe state of this requirement in the comparison.
changeReasonsChange_Reason[]yesThe reasons for the state change.
beforeEvaluated_Requirement | nullyesThe requirement as it appeared in the old/reference source. Null when state is 'new'.
afterEvaluated_Requirement | nullyesThe requirement as it appeared in the new source. Null when state is 'absent'.
fieldChangesField_Change[]yesDetailed field-level changes between the before and after versions.
oldIdstringnoThe requirement ID in the old source, if different from the canonical id.
newIdstringnoThe requirement ID in the new source, if different from the canonical id.
titlestringnoThe requirement title for human readability.
oldEffectiveStatusstringnoThe effective status of the requirement in the old source.
newEffectiveStatusstringnoThe effective status of the requirement in the new source.
oldImpactnumbernoThe impact score of the requirement in the old source (0-1).
newImpactnumbernoThe impact score of the requirement in the new source (0-1).
matchStrategyMatch_StrategynoThe strategy that was used to match this requirement across sources.
matchConfidencenumbernoConfidence score for the match (0-1).
matchManualbooleannoWhether the match was manually confirmed by a human.
annotationIdsstring[]noIDs of annotations attached to this requirement diff.
sourceIndexintegernoIndex into the sources array for multi-source comparisons.
conflictsScanner_Conflict[]noConflicts between multiple scanner results for this requirement.
beforeSensitiveMap<string, any>noSensitive data from the old source that should not be included in the main before snapshot.
afterSensitiveMap<string, any>noSensitive data from the new source that should not be included in the main after snapshot.

component/v3.1.0

Base_Component

Base properties shared by all component types. Extends the Target concept with stable identity, external references, and SBOM embedding.

FieldTypeRequiredDescription
typestringyesComponent type discriminator. Same values as Target types.
namestringyesHuman-readable name for this component.
componentIdstring (uuid)noStable UUID (RFC 4122) for this component. Required in hdf-system documents, optional in hdf-results. Enables cross-document correlation, diffing, and data flow references.
descriptionstringnoDescription of this component's role or purpose.
ownerIdentitynoTeam or individual responsible for this component. Enables per-component ownership when different teams manage different parts of a system.
externalIdsMap<string, string>noMap of external identifier scheme to value. Well-known schemes: aws (instance ID), azure (resource ID), cmdb (asset ID), emass (system ID), cve (CVE ID). Custom schemes are allowed.
labelsMap<string, string>noOptional key-value labels for flexible grouping. Well-known keys: system, component, environment, region, team. Values must be strings.
sbomanynoEmbedded CycloneDX or SPDX SBOM document representing this component's software inventory. The sbomFormat field determines which format constraints apply.
sbomRefstring (uri-reference)noURI reference to an external CycloneDX or SPDX SBOM document for this component. May be a relative path, absolute URI, or fragment identifier.
sbomFormat"cyclonedx" | "spdx"noFormat of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
baselineRefsstring[]noNames of baselines that apply to this component.
inputOverridesInput_Override[]noSystem-specific overrides for baseline input values.
targetSelectorTarget_SelectornoLabel selector to match targets belonging to this component during migration. Targets with matching labels are automatically included.

Component

A system component. Uses discriminated union pattern with 'type' field as discriminator. Superset of Target with identity, external IDs, and SBOM support.

Host_Component

A physical or virtual server, workstation, or network device.

FieldTypeRequiredDescription
type"host"no
fqdnstring (hostname)noFully qualified domain name.
ipAddressstring (ipv4) | string (ipv6)noIP address of the host.
macAddressstringnoMAC address in colon-separated hexadecimal format.
osNamestringnoOperating system name.
osVersionstringnoOperating system version.
Example
json
{
  "type": "host",
  "name": "web-server-prod-01",
  "componentId": "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d",
  "fqdn": "web01.prod.example.com",
  "ipAddress": "10.0.1.50",
  "osName": "Ubuntu",
  "osVersion": "22.04 LTS",
  "externalIds": {
    "cmdb": "ASSET-12345",
    "aws": "i-0abc123def456789"
  }
}

Container_Image_Component

A static container image (not running).

FieldTypeRequiredDescription
type"containerImage"no
imageIdstringnoContainer image ID.
registrystringnoContainer registry. Example: 'docker.io'.
repositorystringnoRepository name. Example: 'library/nginx'.
tagstringnoImage tag. Example: '1.25'.
digeststringnoImage digest for immutable reference.

Container_Instance_Component

A running container instance.

FieldTypeRequiredDescription
type"containerInstance"no
containerIdstringnoRunning container ID.
imagestringnoImage the container was started from.
runtimestringnoContainer runtime. Example: 'docker', 'containerd', 'cri-o'.

Container_Platform_Component

A container orchestration platform (Kubernetes, OpenShift, ECS, etc.).

FieldTypeRequiredDescription
type"containerPlatform"no
platformTypestringnoPlatform type. Example: 'kubernetes', 'openshift', 'ecs', 'docker-swarm'.
clusterNamestringnoCluster name.
namespacestringnoNamespace within the cluster, if applicable.
versionstringnoPlatform version.

Cloud_Account_Component

A cloud provider account (AWS account, Azure subscription, GCP project).

FieldTypeRequiredDescription
type"cloudAccount"no
providerCloud_ProvidernoCloud provider.
accountIdstringnoCloud account identifier.
regionstringnoCloud region, if applicable.
Example
json
{
  "type": "cloudAccount",
  "name": "Production AWS Account",
  "componentId": "f1e2d3c4-b5a6-4978-8069-1a2b3c4d5e6f",
  "provider": "aws",
  "accountId": "123456789012",
  "region": "us-east-1"
}

Cloud_Resource_Component

A specific cloud resource (EC2 instance, S3 bucket, Azure VM, etc.).

FieldTypeRequiredDescription
type"cloudResource"no
providerCloud_ProvidernoCloud provider.
resourceTypestringnoType of cloud resource. Example: 'ec2:instance', 's3:bucket'.
resourceIdstringnoProvider-specific resource identifier.
arnstringnoAmazon Resource Name (AWS only).
regionstringnoCloud region where the resource resides.

Repository_Component

A code repository (for SAST tools).

FieldTypeRequiredDescription
type"repository"no
urlstring (uri)noRepository URL.
branchstringnoBranch that was scanned.
commitstringnoCommit SHA that was scanned.

Application_Component

A running application or API (for DAST tools).

FieldTypeRequiredDescription
type"application"no
urlstring (uri)noApplication URL (for DAST tools).
versionstringnoApplication version.
environmentstringnoEnvironment. Example: 'production', 'staging', 'development'.

Artifact_Component

A software artifact or dependency (for SCA tools).

FieldTypeRequiredDescription
type"artifact"no
packageManagerstringnoPackage manager. Example: 'npm', 'maven', 'pip', 'nuget'.
packageNamestringnoPackage name.
versionstringnoPackage version.
checksumstringnoPackage checksum for verification.

Network_Component

A network segment or network device.

FieldTypeRequiredDescription
type"network"no
cidrstringnoNetwork CIDR block.
gatewaystringnoNetwork gateway address.

Database_Component

A database instance.

FieldTypeRequiredDescription
type"database"no
enginestringnoDatabase engine. Example: 'postgresql', 'mysql', 'oracle', 'mssql'.
versionstringnoDatabase version.
hoststringnoDatabase host.
portintegernoDatabase port.

extensions/v3.1.0

Status_Override

An intentional change to a requirement's compliance status and/or impact score. At least one of status or impact must be set. Overrides change the effectiveStatus or impact of the requirement. All overrides must have an expiration date to enforce periodic review.

FieldTypeRequiredDescription
typeOverride_TypeyesThe type of override applied to this requirement.
statusResult_StatusnoThe new status this override sets for the requirement. Optional when only impact is being overridden.
impactImpact_OverridenoOverride to the requirement's impact score. At least one of status or impact must be set.
reasonstringyesExplanation for why this override was applied.
appliedByIdentityyesIdentity of who applied this override. For simple cases, use type 'simple' with just an identifier.
appliedAtstring (date-time)yesTimestamp when this override was applied. ISO 8601 format.
expiresAtstring (date-time)yesTimestamp when this override expires and must be reviewed/renewed. REQUIRED - no permanent overrides allowed. ISO 8601 format.
signatureSignaturenoOptional digital signature for enhanced trust and non-repudiation. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing methods.
evidenceEvidence[]noSupporting evidence for this override, such as screenshots demonstrating manual verification for attestations.
previousChecksumChecksumnoSHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement.
Example
json
{
  "type": "waiver",
  "status": "notApplicable",
  "reason": "This control does not apply to containerized environments as the application runs in ephemeral containers without persistent storage",
  "appliedBy": {
    "identifier": "security-team@example.com",
    "type": "email"
  },
  "appliedAt": "2025-12-01T10:00:00Z",
  "expiresAt": "2026-12-01T00:00:00Z"
}

POAM

Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change the effectiveStatus - the requirement remains in its current state while the POA&M tracks remediation efforts.

FieldTypeRequiredDescription
type"remediation" | "mitigation" | "riskAcceptance" | "vendorDependency"yesThe type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk. 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
explanationstringyesDetailed explanation of the plan, including what actions will be taken.
appliedByIdentityyesIdentity of who created this POA&M. For simple cases, use type 'simple' with just an identifier.
appliedAtstring (date-time)yesTimestamp when this POA&M was created. ISO 8601 format.
expiresAtstring (date-time)noOptional expiration date for this POA&M requiring review/renewal. ISO 8601 format.
milestonesMilestone[]noOptional array of milestones tracking progress toward completion.
signatureSignaturenoOptional digital signature for enhanced trust and non-repudiation.
evidenceEvidence[]noSupporting evidence for this POA&M, such as documentation of compensating controls or mitigation implementation.
previousChecksumChecksumnoSHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement.
Example
json
{
  "type": "remediation",
  "explanation": "Upgrade OpenSSL to version 3.0.x to address CVE-2024-XXXXX vulnerability. Root cause: outdated dependency version in base image.",
  "appliedBy": {
    "identifier": "devops-team@example.com",
    "type": "email"
  },
  "appliedAt": "2025-12-01T09:00:00Z",
  "milestones": [
    {
      "description": "Update base Docker image to use OpenSSL 3.0.x",
      "estimatedCompletion": "2025-12-15T00:00:00Z",
      "status": "completed",
      "completedAt": "2025-12-10T16:30:00Z",
      "completedBy": {
        "identifier": "alice.smith",
        "type": "username"
      }
    },
    {
      "description": "Deploy updated image to production",
      "estimatedCompletion": "2025-12-20T00:00:00Z",
      "status": "inProgress"
    },
    {
      "description": "Verify vulnerability no longer present via security scan",
      "estimatedCompletion": "2025-12-22T00:00:00Z",
      "status": "pending"
    }
  ]
}

Generator

Information about the tool that generated this HDF file.

FieldTypeRequiredDescription
namestringyesThe name of the software that produced this HDF file. Example: 'gosec-to-hdf'.
versionstringyesThe version of the tool. Example: '5.22.3'.

Tool

The security tool that produced the assessment data represented in this HDF file. Aligns with SARIF, OSCAL, and CycloneDX terminology.

FieldTypeRequiredDescription
namestringnoThe name of the security tool that produced the data. Examples: 'gosec', 'Semgrep', 'OpenSCAP', 'AWS Config', 'Nessus'. Omit if the tool cannot be identified.
versionstringnoVersion of the source tool, if available in the tool's output. Example: '5.22.3'.
formatstringnoThe file format, if it is a recognized named format shared by multiple tools. Examples: 'SARIF', 'XCCDF'. Omit for tool-specific formats where the tool name already implies the format (Nessus XML, gosec JSON).

Integrity

Cryptographic integrity information for verifying the HDF file has not been tampered with. If algorithm is provided, checksum must also be provided, and vice versa.

FieldTypeRequiredDescription
algorithmHash_AlgorithmnoThe hash algorithm used for the checksum.
checksumstringnoThe checksum value.
signaturestringnoOptional cryptographic signature.
signedBystringnoIdentifier of who signed this file.
Example
json
{
  "algorithm": "sha256",
  "checksum": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}

parameter/v3.1.0

Input_Type

The data type of the input value. Aligns with InSpec input types.

Comparison_Operator

Comparison operator for evaluating the input value against observed values. Numeric: eq/ne/lt/le/gt/ge. String: eq/ne/contains/matches. Collection: in/notIn.

Input_Constraints

Validation constraints for an input value.

FieldTypeRequiredDescription
minnumbernoMinimum allowed value (for Numeric inputs).
maxnumbernoMaximum allowed value (for Numeric inputs).
patternstringnoRegular expression pattern the value must match (for String inputs).
allowedValuesany[]noEnumeration of permitted values.

Input

A typed input parameter that bridges governance requirements and scanner automation. Inputs carry expected configuration values with type information, comparison operators, and validation constraints, enabling traceability from policy through to scan results.

FieldTypeRequiredDescription
namestringyesThe input name. Must be unique within a baseline or results document. Example: 'max_concurrent_sessions'.
typeInput_TypenoThe data type of this input.
valueanynoThe input value. Type should match the declared type field. Accepts any JSON value.
descriptionstringnoHuman-readable description of what this input controls.
requiredbooleannoWhether this input must be provided. Defaults to false if omitted.
sensitivebooleannoWhether this input contains sensitive data (passwords, keys). Sensitive values should be redacted in output. Defaults to false if omitted.
operatorComparison_OperatornoThe comparison operator used when evaluating this input against observed values.
constraintsInput_ConstraintsnoValidation constraints for the input value.
Example
json
{
  "name": "max_concurrent_sessions",
  "type": "Numeric",
  "value": 3,
  "description": "Maximum concurrent sessions per user",
  "required": true,
  "sensitive": false,
  "operator": "le",
  "constraints": {
    "min": 1,
    "max": 100
  }
}

result/v3.1.0

Result_Status

The status of an individual test result. 'notApplicable' indicates the requirement does not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g., requires manual verification).

Requirement_Result

A test within a requirement and its results and findings such as how long it took to run.

FieldTypeRequiredDescription
statusResult_StatusyesThe status of this test within the requirement. Example: 'failed'.
codeDescstringyesA description of this test. Example: 'limits.conf * is expected to include ["hard", "maxlogins", "10"]'.
runTimenumbernoThe execution time in seconds for the test.
startTimestring (date-time)yesThe time at which the test started.
resourcestringnoThe resource used in the test. Example: 'file', 'command', 'service'.
resourceIdstringnoThe unique identifier of the resource. Example: '/etc/passwd'.
messagestringnoAn explanation of the test result. Typically provided for failed tests, errors, or to explain why a test was not applicable or not reviewed.
exceptionstringnoThe type of exception if an exception was thrown.
backtracestring[]noThe stacktrace/backtrace of the exception if one occurred.
Example
json
{
  "status": "passed",
  "codeDesc": "File /etc/ssh/sshd_config content is expected to match /Protocol\\s+2/",
  "startTime": "2025-06-15T10:30:00Z",
  "runTime": 0.015
}

Requirement_Description

A labeled description for a requirement, such as fix text or check instructions.

FieldTypeRequiredDescription
labelstringyesThe type of description. Examples: 'fix', 'check', 'rationale'.
datastringyesThe text of the description.
Example
json
{
  "label": "default",
  "data": "Verify the SSH daemon is configured to only use FIPS-validated key exchange algorithms."
}

runner/v3.1.0

Runner

Information about the test execution environment. This is distinct from the target being scanned - the runner is where the security tool executes, while targets are what is being assessed.

FieldTypeRequiredDescription
namestringyesThe name of the runner environment. Examples: 'ubuntu', 'macos', 'windows', 'docker', 'kubernetes-pod', 'manual'.
releasestringnoThe version/release of the operating system or runtime. Example: '20.04', '13.2', '11'.
architecturestringnoThe CPU architecture of the runner system. Example: 'x86_64', 'arm64', 'aarch64'.
hostnamestringnoThe hostname of the runner system. Example: 'ci-runner-01', 'jenkins-agent-03', 'k8s-node-worker-03'.
containerImagestringnoThe container image used for the test execution. Example: 'inspec/inspec:latest', 'ghcr.io/my-org/scanner:v2.1.0'. Useful for CI/CD pipelines where tests run in containers.
containerIdstringnoThe container instance identifier. Example: 'a1b2c3d4e5f6', 'security-scan-job-xyz123'. Can be a Docker container ID, Kubernetes pod name, or other container runtime identifier.
operatorIdentitynoThe identity of the person or system responsible for executing the test. This could be a human auditor manually completing a checklist, an automated CI/CD system, or a security tool. Optional field to support both automated and manual HDF generation.
Example
json
{
  "name": "docker",
  "release": "20.04",
  "architecture": "x86_64",
  "hostname": "github-runner-prod-01",
  "containerImage": "ghcr.io/inspec/inspec:5.22.3",
  "containerId": "security-scan-job-a1b2c3d4",
  "operator": {
    "identifier": "github-actions",
    "type": "system",
    "description": "Automated CI/CD pipeline"
  }
}

statistics/v3.1.0

Statistic_Block

Statistics for a given item, such as the total count.

FieldTypeRequiredDescription
totalintegeryesThe total count. Example: the total number of requirements in a given category for a run.

Statistic_Hash

Statistics for requirement results, grouped by status.

FieldTypeRequiredDescription
passedStatistic_BlocknoStatistics for requirements that passed.
failedStatistic_BlocknoStatistics for requirements that failed.
notApplicableStatistic_BlocknoStatistics for requirements that are not applicable to the target.
notReviewedStatistic_BlocknoStatistics for requirements that were not reviewed (manual check required).
errorStatistic_BlocknoStatistics for requirements that encountered an error during assessment.

Statistics

Statistics for the assessment run(s) such as duration and result counts.

FieldTypeRequiredDescription
durationnumbernoHow long (in seconds) this assessment run took.
requirementsStatistic_HashnoBreakdowns of requirement statistics by result status.

system/v3.1.0

Authorization_Status

Authorization to Operate (ATO) status for the system.

Categorization_Level

FIPS 199 security categorization level (impact level).

Input_Override

An override of a baseline input value for a specific component. Enables system-specific tailoring of baseline parameters.

FieldTypeRequiredDescription
baselineRefstringnoName of the baseline this override applies to. If omitted, applies to all baselines that define this input.
inputNamestringyesName of the input being overridden. Must match an Input.name in the referenced baseline.
valueanyyesThe overridden value. Should match the type of the original input.
justificationstringnoRationale for why this override is needed.
approvedByIdentitynoIdentity of the person or system that approved this override.

Target_Selector

A label selector that matches targets by label key-value pairs. All specified labels must match (AND logic). Example: { "labels.component": "WebTier" } matches targets with labels.component = "WebTier".

Control_Designation

Declares a control's designation within a system — whether it is common (provided by another component or system), system-specific (implemented locally), or hybrid (shared responsibility). Maps to NIST SP 800-53 Appendix C control designations and OSCAL SSP by-component provided/inherited semantics.

FieldTypeRequiredDescription
controlIdstringyesThe control identifier (e.g., 'SC-7', 'AC-2 (1)'). Must match a NIST tag in a baseline requirement's tags.
designation"common" | "system-specific" | "hybrid"yesNIST SP 800-53 control designation. 'common': fully provided by another component or system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid': shared responsibility between provider and inheritor.
providedBystring (uuid)nocomponentId of a local component that provides this control. Omit when the provider is an external system.
systemRefstring (uri-reference)noReference to another hdf-system document whose component provides this control. Use when the provider is in a different system. Omit when the provider is local.
inheritedBystring (uuid)[]nocomponentIds that inherit this control. If omitted, all components in the system inherit it.
descriptionstringyesJustification for this designation — who provides the control, why it's inherited, and any relevant authorization references.
Example
json
{
  "controlId": "IA-2",
  "designation": "common",
  "providedBy": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "inheritedBy": [
    "11111111-2222-3333-4444-555555555555"
  ],
  "description": "User identification and authentication provided by Keycloak SSO via SAML 2.0."
}

Released under the Apache 2.0 License.

Copyright © 2026 MITRE Corporation