Adding new policies

[FotiosBistas]

Hello,

I was wondering whether it would be possible to support additional compliance policies based on external regulatory or certification frameworks. For example, the ECCG Agreed Cryptographic Mechanisms v2 published by ENISA defines approved, deprecated, and non-recommended cryptographic algorithms and parameter requirements:

https://certification.enisa.europa.eu/document/download/a845662b-aee0-484e-9191-890c4cfa7aaa_en?filename=ECCG%20Agreed%20Cryptographic%20Mechanisms%20version%202.pdf

Given that the EU Cyber Resilience Act (CRA) may rely on European cybersecurity certification schemes and associated guidance (such as ECCG) when defining cryptographic expectations, support for such compliance profiles could become increasingly relevant for vendors operating in the EU market.

[haritzsaiz]

In theory, there is an ext-compliance profile when implementing Docker containers, but the dependent container image ibm-regultator is not present (nor does it appear to have been uploaded to cbomkit ghcr). How can we invoke external compliance checks?

[san-zrl]

Hi @haritzsaiz, @FotiosBistas - I will have a look into this

[FotiosBistas]

Hi @san-zrl, just checking in on this — have you had a chance to look into it?

[san-zrl]

Hi @FotiosBistas, I'm trying to get approval to publish our regulator tool. I'll let you know when I have news on this.