Mequal — Manifest Evaluation & Quality
In policy we trust!
About
Mequal is a project based on the OPA policy engine with the goal of evaluating and validating SBOM manifests, giving feedback and guidance on the quality of a manifest, while also enabling easy custom policy authoring to extend the validation and evaluation criteria for context-specific manifests.
The future goals of this project are:
-
Validation and evaluation tooling that can be easily integrated with SBOM manifest generation services.
-
Improve the quality of a manifest by Generating reports to provide meaningful and actionable feedback and improvement suggestions.
-
Easy and extensible policy authoring to enable Subject Matter Expertise to be reflected onto the quality assessment of a manifest.
For more information please visit our Project Goals page.
Try It Now!
The easiest way to get started with Mequal and evaluating SBOMs is to use a readily available container that encapsulates and evaluates the policies and is able to do an evaluation on any SBOM input provided.
We have a pre-release container always up-to-date with the latest policies we implement. Just run the command below on any SBOM you’d like (supports CycloneDX and SPDX formats) to test it out:
$ cat sbom.json | podman run -i --rm quay.io/pct-security/mequal:latest|
As of right now, Mequal is just a set of SBOM manifest policies that are assessed using OPA from inside of a container, with future improvements related to our project goals coming soon! |