Axis 6: Templates

OSCAL Catalog Template

GCBoK defines German compliance taxonomies as OSCAL catalogs — a market novelty:

oscal_catalog:
  groups:
    - id: "gobdControls"
      title: "GoBD - Traceability"
      controls:
        - id: "GOBD-01"
          title: "Progressive Navigation"
          description: "Every business transaction traceable backwards"
    - id: "bsiControls"
      title: "BSI IT-Grundschutz Module"
      controls:
        - id: "APP.3.1.A1"
          title: "Data Backup"
    - id: "dsgvoControls"
      title: "GDPR Requirements"
      controls:
        - id: "DSGVO-Art.17"
          title: "Right to be Forgotten"

OPA Policy Template

Example of a Rego policy for evidence validation:

package gitcover.compliance

deny[msg] {
    input.class == "INVOICE"
    not input.prev_sha256
    msg := "INVOICE muss prev-hash referenzieren"
}

deny[msg] {
    input.class == "PAYMENT"
    not input.gpg_fingerprint
    msg := "PAYMENT muss GPG-signiert sein"
}

allow {
    count(deny) == 0
}

V7GUID Schema

The canonical V7GUID metadata schema:

v7guid: "0197a3b2-f3c0-7b00-8001-000000000042"
class: INVOICE          # PERSON | INVOICE | PAYMENT | CONTRACT | ...
sha256: "7d4e2f..."
prev_sha256: "3f2a1c..."  # null for genesis evidence
gpg_fingerprint: "ABCD1234..."
timestamp_iso: "2026-06-14T11:18:00+02:00"
gobd_periode: "FY2026"

DMS Container Template

The .v7g.zip container for GCDMS (scope depends on use case):

document.v7g.zip
├── .v7g.md          # Metadata, possibly with structure information in Markdown artifacts (JSON/YAML/XML, SHA256 hash of the original document, etc.)
├── .v7g.sig         # GPG signature
├── document.pdf     # Original document
├── document.json    # Machine-readable extracts
├── document.xml     # Machine-readable extracts (e.g. X-Rechnung)
└── attachments/     # Attachments

Format Selection by Use Case

Format Use
.v7g.json Machine-readable, OPA policies, OSCAL export
.v7g.md Hyperlinks, human-readable, Git web UI
.v7g.yaml Configuration file, human-editable