Create risk-assess

Home › Reference › Commands › Create › Risk Assess

create risk-assess - Create OSCAL assessment-results from existing test and security evidence

The create risk-assess command creates OSCAL assessment-results for modules by reading existing test results and security scan evidence. It maps @control tags in feature files to OSCAL control IDs and determines satisfied/not-satisfied status.

This command does NOT run tests or scans. It only reads existing evidence. The command will warn (but continue) if: - Evidence is missing - Evidence is older than max-evidence-age (default: 24h)

Evidence is collected from: - Test results: out/test//.json - Security scans: out/scan///.json

Flags

Flag	Description
-p, --profile [required]	Path to OSCAL profile JSON file
--max-evidence-age (default: 24h)	Maximum age for evidence before warning (e.g., 24h, 7d)
--suites (default: all)	Test suites to check for evidence (e.g., all, integration, acceptance)
--sequential (default: false)	Run assessments sequentially instead of parallel
-d, --debug (default: false)	Save intermediate outputs to out/commands.log

Notes

Expected Output:

• OSCAL assessment-results JSON file
• Control status (satisfied/not-satisfied) based on test results
• Risk assessment reports in Markdown format

See Also

• create risk-profile
• scan
• test
• create Commands

---

Tutorials | How-to Guides | Explanation | Reference

You are here: Reference — information-oriented technical descriptions of the system.