Skip to main content
MergeGuide can export your compliance evidence in NIST OSCAL (Open Security Controls Assessment Language) format, the machine-readable standard auditors and GRC tools increasingly expect. You assess your code in MergeGuide and hand your auditor structured evidence instead of screenshots. MergeGuide exports OSCAL v1.1.2.

What you can export

MergeGuide generates the following OSCAL document types:
DocumentWhat it contains
Component DefinitionThe controls a component implements and how.
Assessment ResultsThe outcome of assessing your code against the controls.
Plan of Action & Milestones (POA&M)Open items and the plan to remediate them.
CatalogThe control catalog for a selected framework.
This page lists only the OSCAL document types that currently ship. Additional document types may be added over time.

Export from the dashboard

  1. Open Compliance in the dashboard.
  2. Choose the framework and the OSCAL document type you need.
  3. Generate and download the OSCAL file.

Verify exported evidence

MergeGuide evidence artifacts are signed. You can verify an artifact with the CLI: 
mergeguide verify-evidence ./evidence.json
The command exits 0 if the artifact is valid, 1 if it’s been tampered with, 2 if it’s malformed, and 3 if a required verification step couldn’t reach the network. For air-gapped verification, see the verify-evidence reference.

Next steps

Compliance overview

How compliance frameworks work in MergeGuide.

SBOM export

Generate a Software Bill of Materials.