npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

attesting

v0.4.0

Published

OSCAL-native compliance control platform. Map controls across frameworks, write implementations once, export to any format.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

leveldleveld

Keywords

oscalcompliancenistcmmcsigiso-27001grcsecurityrisk-managementcontrol-mappingfedramp

Readme

Attesting

CI License: MIT Node Tests

OSCAL-native, local-first GRC platform. Attesting treats governance, risk, and compliance as one connected graph — controls, evidence, risks, and threats all flow through a single SQLite database and propagate to each other as state changes.

What it is

Attesting is a CLI + Web UI + HTTP API for teams that need to satisfy multiple compliance frameworks without spreadsheets. You import control catalogs (NIST 800-53, ISO 27001, CMMC, SIG, 10+ more), write implementation statements once, and they resolve across every mapped framework. Evidence moves through a lifecycle state machine. Compliance scores recompute when implementations or evidence change. A drift scheduler watches the graph and raises alerts when something slips. Audit-ready PDF/DOCX reports ship with one command.

Everything runs locally against a single SQLite file. No cloud dependency, no account required, no proprietary lock-in. OSCAL 1.1.2 is the native data model.

Key features

  • 14 bundled catalogs — NIST 800-53 (+4 baselines), 800-171, CSF 2.0, 800-218, ISO 27001, CMMC 2.0, HIPAA, SOC 2, PCI DSS 4.0, GDPR, CCPA/CPRA, EU AI Act, NISPOM
  • 282 pre-resolved cross-framework mappings — write once, satisfy many
  • Compliance scoring engine (Phase 8A) — weighted three-factor formula with per-family breakdown and time-series history
  • Executive dashboard (Phase 8B) — single-call aggregated posture summary with gauge, trend, risk, drift, POA&M widgets; printable board handouts
  • Audit-ready reports (Phase 8C) — professional PDF and DOCX generators with cover, control inventory, risk summary, methodology appendix
  • Continuous monitoring (Phase 8D) — threshold, delta, and trend alerting wired into the drift scheduler
  • Evidence lifecycle (Phase 8E) — strict state machine (draft → submitted → reviewed → accepted → expiring → expired → archived), reviewer workflow, renewal reminders, version chaining
  • 11 connector adapters — CISA KEV, NIST NVD, SBOM (CycloneDX + SPDX), CrowdStrike, ServiceNow, Jira, Splunk, Okta, Azure AD, AWS Security Hub, GCP SCC
  • Drift detection engine — 8 scheduled checks for evidence staleness, policy reviews, risk exceptions, disposition expiry, posture monitor, evidence expiry sweep
  • Propagation engine — state changes cascade automatically (implementation change → risk recalc → score snapshot → alert)
  • CLI + Web UI + HTTP API — every capability available in all three surfaces
  • 664 tests, 100% pass rate — across 71 files

Quick start

npm install -g attesting      # requires Node 20+
attesting org init --name "Acme Corp"
attesting scope create --name "Production" --type product

# Import a bundled framework
attesting catalog import --format oscal \
  --file data/catalogs/nist-800-53-r5.json \
  --name "NIST SP 800-53 Rev 5" --short-name nist-800-53-r5

# Check coverage
attesting score show --catalog nist-800-53-r5 --scope Production

# Start the web UI + API
attesting serve --port 3000
# → browse http://localhost:3000 for the dashboard
# → http://localhost:3000/api/docs for Swagger UI

CLI reference

Every command supports --json for machine-readable output. Run attesting <group> --help for full details.

Catalog management

  • catalog import — import a catalog (OSCAL JSON, SIG .xlsm, CSV)
  • catalog list — list all imported catalogs
  • catalog inspect — show catalog contents + control count
  • catalog diff — compare two catalog versions
  • catalog impact — impact analysis for catalog updates
  • catalog update — update catalog from source
  • catalog refresh — re-import catalog from its original file
  • catalog watch — register a catalog source for update notifications

Mappings

  • mapping create — create a single control-to-control mapping
  • mapping import — bulk import mappings from CSV
  • mapping list — list mappings with filters
  • mapping resolve — resolve direct + transitive mappings for a control
  • mapping auto-link — suggest mappings via similarity

Implementations

  • impl add — add an implementation statement
  • impl edit — edit an implementation
  • impl list — list implementations with filters
  • impl status — coverage summary for a scope
  • impl import — bulk import implementations from CSV

Risk register

  • risk create — create a risk
  • risk list — list risks with filters
  • risk update — update a risk
  • risk link — link controls to a risk
  • risk exceptions — manage risk exceptions
  • risk matrix — view/update the risk matrix

Compliance scoring (Phase 8A)

  • score show — show current score for a catalog + scope
  • score snapshot — persist a new snapshot
  • score history — show score trend over time
  • score summary — cross-catalog summary for a scope

Evidence lifecycle (Phase 8E)

  • evidence list — list evidence with status/implementation filters
  • evidence show — detail + full state history
  • evidence create — add a new evidence artifact (starts as draft)
  • evidence transition — apply a state machine action (submit/review/accept/reject/renew/archive)
  • evidence freshness — cross-catalog freshness summary

Continuous monitoring (Phase 8D)

  • monitor status — current posture findings across all catalogs
  • monitor check — run the posture monitor on demand
  • monitor configure — set per-scope/catalog thresholds
  • monitor thresholds — list or resolve configured thresholds

Audit reports (Phase 8C)

  • report audit — generate an audit-ready PDF or DOCX report

Intelligence

  • intel list — list threat inputs
  • intel submit — submit manual intel
  • intel promote — promote provisional intel to confirmed
  • intel corroborate — auto-corroborate against threat feeds
  • intel shadow — show shadow impact of hypothetical intel

Drift & dispositions

  • drift list — list open drift alerts
  • drift check — run a named drift check
  • drift dispose — create a disposition for an alert
  • drift tasks — list disposition tasks
  • drift schedule — view or update the drift check schedule

Connectors (11 adapters)

  • connector add — register a connector
  • connector list — list configured connectors
  • connector sync — trigger a sync
  • connector log — show sync logs
  • connector health — run a health check

Export

  • export pdf — generic PDF export (for audit reports use report audit)
  • export csv — flat CSV with implementations + mappings
  • export oscal — OSCAL JSON (component-definition, SSP)
  • export sig — SIG questionnaire response workbook
  • export soa — ISO 27001 Statement of Applicability workbook

Assessment & POA&M

  • assessment create — create a new assessment
  • assessment evaluate — evaluate an assessment against implementations
  • assessment poam — generate POA&M items from unmet results

Organization

  • org init — initialize your organization profile
  • scope create / scope list — manage product/system scopes

Setup & web

  • setup — interactive onboarding wizard
  • serve — start the web UI + HTTP API

API

The Express API exposes every domain as a REST namespace. Start the server with attesting serve and browse:

  • http://localhost:3000/api/docs — Swagger UI with all 77 paths documented (OpenAPI 3.1)
  • http://localhost:3000/api/docs/openapi.json — raw spec

Mounted namespaces:

| Namespace | Domain | |---|---| | /api/org | Organization profile + scopes | | /api/catalogs | Framework catalogs + controls (FTS) | | /api/mappings | Cross-framework mappings | | /api/implementations | Implementation statements | | /api/coverage | Per-catalog coverage aggregates | | /api/governance | Policies, committees, roles | | /api/risk | Risk register, matrix, exceptions | | /api/intel | Threat inputs + manual intel | | /api/drift | Drift alerts + dispositions | | /api/assets | Asset inventory | | /api/connectors | Data connectors + adapters | | /api/owners | Owner/person directory | | /api/audit | Immutable audit trail | | /api/export | CSV/OSCAL/SIG/SOA/PDF export | | /api/diff | Catalog diff | | /api/scores | Compliance scoring (Phase 8A) | | /api/dashboard/summary | Executive dashboard (Phase 8B) | | /api/reports/audit | Audit-ready PDF/DOCX (Phase 8C) | | /api/monitoring | Continuous monitoring (Phase 8D) | | /api/evidence | Evidence lifecycle (Phase 8E) |

Global rate limit: 100 requests / 60 seconds. Errors use a consistent { error, code, status, details?, stack? } envelope.

Web UI

React 19 + Tailwind + Recharts dashboard, served at http://localhost:3000/ when attesting serve is running. Pages:

  • Dashboard — executive summary with score gauge, per-framework bars, trend, risk posture, drift alerts
  • Catalogs / Controls — browse imported frameworks
  • Implementations — edit implementation statements
  • Mappings — explore cross-framework relationships
  • Risk — register, matrix, exceptions
  • Assets — inventory + threat correlation
  • Intel — threat inputs + manual intel with shadow analysis
  • Drift — alert feed + disposition workflow
  • Connectors — configure + trigger adapters
  • Governance — policies, committees, roles
  • Evidence — lifecycle queue with status badges + inline transitions
  • Exports — one-click exports + audit report generator

Configuration

Attesting stores all state under ~/.attesting/:

  • ~/.attesting/attesting.db — the SQLite database (schema + 6 migrations)
  • ~/.attesting/exports/ — generated export files
  • ~/.attesting/reports/ — generated audit reports
  • ~/.attesting/uploads/ — staged import files

Environment variables:

  • NODE_ENV — set to production to suppress stack traces in error responses

Node ≥20 required.

Architecture

Local-first. Single SQLite file, no external services required. Schema defined in src/db/schema.sql + numbered migrations under src/db/migrations/ (006 and counting).

Propagation engine (src/services/propagation/) — every write passes through a dispatcher that routes to entity-specific handlers. Evidence changes trigger score recalculation. Implementation status changes trigger risk recalculation. Handler errors are caught per-handler so one bad cascade can't crash the caller.

Drift scheduler (src/services/drift/scheduler.ts) — runs 8 periodic checks: evidence staleness (5min), policy reviews (hourly), risk exceptions (hourly), disposition expiry (hourly), manual intel expiry (hourly), posture monitor (hourly), evidence expiry sweep (hourly), full posture recalc (daily).

Connector adapters (src/services/connectors/adapters/) — each inbound adapter extends BaseAdapter with fetch() + transform(). All HTTP calls go through fetchWithTimeout with configurable per-connector timeouts (default 30s). Credentials validated at construction.

Bundled catalogs

| Catalog | Short name | Source format | |---|---|---| | NIST SP 800-53 Rev 5 (full) | nist-800-53-r5 | OSCAL JSON | | NIST 800-53 Low baseline | nist-800-53-r5-low | OSCAL JSON | | NIST 800-53 Moderate baseline | nist-800-53-r5-moderate | OSCAL JSON | | NIST 800-53 High baseline | nist-800-53-r5-high | OSCAL JSON | | NIST 800-53 Privacy baseline | nist-800-53-r5-privacy | OSCAL JSON | | NIST SP 800-171 Rev 3 | nist-800-171-r3 | OSCAL JSON | | NIST Cybersecurity Framework 2.0 | nist-csf-2.0 | OSCAL JSON | | NIST SP 800-218 (SSDF) | nist-800-218 | OSCAL JSON | | CMMC 2.0 Level 2 | cmmc-2.0 | CSV | | ISO/IEC 27001:2022 | (bring your own) | CSV | | HIPAA Security Rule | hipaa-security | CSV | | SOC 2 Trust Services Criteria | soc2-tsc | CSV | | PCI DSS 4.0 | pci-dss-4 | CSV | | GDPR | gdpr | CSV | | CCPA / CPRA | ccpa-cpra | CSV | | EU AI Act | eu-ai-act | CSV | | NISPOM 32 CFR 117 | nispom-117 | CSV | | SIG Lite 2026 | (bring your own .xlsm) | SIG XLSM |

Copyrighted framework text (SIG questions, ISO 27001 control bodies) is not shipped. Bring your own licensed source file and Attesting imports only the structural metadata.

Connector adapters (Phase 4)

| Adapter | Connects to | Auth | |---|---|---| | CISA KEV | Known Exploited Vulnerabilities feed | none (public) | | NIST NVD | National Vulnerability Database | optional API key | | SBOM CycloneDX | CycloneDX SBOM files | file-based | | SBOM SPDX | SPDX SBOM files | file-based | | CrowdStrike Falcon | Detections API | OAuth2 client credentials | | ServiceNow | Incident / Security Incident table | Basic auth | | Jira | Issues via JQL search | Basic auth + API token | | Splunk | Search API (async jobs) | Bearer token | | Okta | System Log | SSWS API token | | Azure AD / Entra ID | Identity Protection risk detections | OAuth2 client credentials | | AWS Security Hub | GetFindings (ASFF) | SigV4 | | GCP Security Command Center | Findings API | Service-account JWT |

All adapters: fail-fast credential validation on construction, 30s fetch timeout (configurable), 429 Retry-After handling, structured error responses.

Contributing

Contributions welcome — see CONTRIBUTING.md for dev setup, architecture overview, how to add a connector, and how to add a framework catalog.

License

MIT © Anthony Rossi III

See CHANGELOG.md for release history.