Axis 6: Templates
OSCAL Catalog Template
GCBoK defines German compliance taxonomies as OSCAL catalogs — a market novelty:
oscal_catalog:
groups:
- id: "gobdControls"
title: "GoBD - Traceability"
controls:
- id: "GOBD-01"
title: "Progressive Navigation"
description: "Every business transaction traceable backwards"
- id: "bsiControls"
title: "BSI IT-Grundschutz Module"
controls:
- id: "APP.3.1.A1"
title: "Data Backup"
- id: "dsgvoControls"
title: "GDPR Requirements"
controls:
- id: "DSGVO-Art.17"
title: "Right to be Forgotten"
OPA Policy Template
Example of a Rego policy for evidence validation:
package gitcover.compliance
deny[msg] {
input.class == "INVOICE"
not input.prev_sha256
msg := "INVOICE muss prev-hash referenzieren"
}
deny[msg] {
input.class == "PAYMENT"
not input.gpg_fingerprint
msg := "PAYMENT muss GPG-signiert sein"
}
allow {
count(deny) == 0
}
V7GUID Schema
The canonical V7GUID metadata schema:
v7guid: "0197a3b2-f3c0-7b00-8001-000000000042"
class: INVOICE # PERSON | INVOICE | PAYMENT | CONTRACT | ...
sha256: "7d4e2f..."
prev_sha256: "3f2a1c..." # null for genesis evidence
gpg_fingerprint: "ABCD1234..."
timestamp_iso: "2026-06-14T11:18:00+02:00"
gobd_periode: "FY2026"
DMS Container Template
The .v7g.zip container for GCDMS (scope depends on use case):
document.v7g.zip
├── .v7g.md # Metadata, possibly with structure information in Markdown artifacts (JSON/YAML/XML, SHA256 hash of the original document, etc.)
├── .v7g.sig # GPG signature
├── document.pdf # Original document
├── document.json # Machine-readable extracts
├── document.xml # Machine-readable extracts (e.g. X-Rechnung)
└── attachments/ # Attachments
Format Selection by Use Case
| Format | Use |
|---|---|
.v7g.json |
Machine-readable, OPA policies, OSCAL export |
.v7g.md |
Hyperlinks, human-readable, Git web UI |
.v7g.yaml |
Configuration file, human-editable |