Ruleset Management Guide

Overview

Rulesets are versioned catalog snapshots that define what requirements a product is assessed against. The built-in default ruleset contains all 401 requirements from resources/structure.md. Organizations can create custom rulesets to add, remove, or modify requirements.

Built-in Ruleset

The default ruleset (cra-default-v1) ships with the scanner binary, compiled from resources/structure.md. It contains:

• 13 categories
• 54 features
• 163 risks
• 401 requirements (56 Auto, 150 Semi, 187 Doc, 8 Test)

Custom Rulesets

Create from Built-in

curl -s /api/v1/assessment/rulesets | jq '.[0].catalog_json' > base-catalog.json

curl -X POST /api/v1/assessment/rulesets \
  -d '{
    "name": "my-org-custom",
    "version": "1.0.0",
    "description": "Custom ruleset with additional internal requirements",
    "catalog_json": <modified base-catalog.json>
  }'

Lifecycle

Draft ──▶ Published ──▶ Archived
  │                         ▲
  └── Edit freely           │
                    (new version)

• Draft: Editable. Not yet assigned to products.
• Published: Immutable. Can be assigned to products. Evidence collected under this version remains valid.
• Archived: No longer assignable. Existing assignments remain.

Versioning

Rulesets use semantic versioning. When you need to change a published ruleset:

1. Create a new version (e.g., 1.0.0 -> 1.1.0)
2. Edit the draft
3. Publish the new version
4. Update product assignments

Product Assignment

Each assessed product pins to a specific ruleset version:

curl -X POST /api/v1/assessment/products \
  -d '{
    "name": "my-product",
    "ruleset_id": "<ruleset-uuid>"
  }'

Changing a product’s ruleset does not invalidate existing evidence — it changes what future scans assess against.

Per-Product Overrides

Even with a shared ruleset, individual requirements can be overridden per product:

• Not Applicable: POST /products/{id}/overrides with override_type: false_positive
• Accepted Risk: POST /products/{id}/overrides with override_type: accepted_risk

These overrides are product-scoped, not ruleset-scoped.