Coming Soon — OSCAL output formats are planned but not yet implemented. The examples below show the intended design.
Overview
Corsair will generate OSCAL (Open Security Controls Assessment Language) Assessment Results — the NIST standard for machine-readable security assessment data.
Planned Output Formats
OSCAL output is planned but not yet available in the CLI. When it lands, Corsair will support:
- OSCAL JSON — Machine-readable, NIST SP 800-53A compliant
- HTML report — Self-contained, no external dependencies
- Markdown report — Portable, review-friendly
OSCAL Mapping
| Corsair Concept | OSCAL Element |
|---|---|
| EVIDENCE Findings | Findings (satisfied/not-satisfied) |
| CHART Frameworks | Reviewed Controls (control-selections) |
| QUARTER Governance | Observations (EXAMINE method) |
| MARQUE Attestation | Assessment Results metadata |
Report Sections
HTML and Markdown reports include:
- Executive Summary — Assessment overview, provenance, control coverage
- Framework Coverage — Which frameworks mapped, control counts
- Finding Details — Per-finding severity, evidence references, remediation context
- Evidence Chain — Hash chain verification, record count, integrity status
- Provenance Summary — Evidence source (self/tool/auditor) with per-control breakdown
Integration with GRC Platforms
OSCAL JSON output can be ingested by:
- ServiceNow GRC module (via REST API import)
- Archer IRM (via data feed)
- Jira (JSONL evidence to Jira issues via webhook)
- Drata/Vanta (planned Corsair integration)
The OSCAL format ensures Corsair evidence is portable across any platform that supports the NIST standard.