Add FedRAMP + DORA frameworks, npm package, SBOM generation (v1.7.0)

New frameworks (19th & 20th):
- FedRAMP AI overlay — 3 mapping files (LLM/Agentic/DSGAI × SP 800-53 controls)
- DORA (EU 2022/2554) — 3 mapping files (LLM/Agentic/DSGAI × Art. 5-45)

npm package (@owasp/genai-crosswalk):
- src/index.ts — typed API: getEntry, getFramework, searchEntries, getBySeverity
- src/index.test.ts — 12 smoke tests (all pass)
- tsconfig.json, dist/ output, package.json updated

SBOM generation:
- .github/workflows/sbom.yml — CycloneDX on release tags
- scripts/sbom-inventory.js — content-level SBOM (mapping files, entries, incidents)

Infrastructure:
- generate.js — SP 800-218A, FedRAMP, DORA in FRAMEWORK_FILES catalog (66/67 parsed)
- compliance-report.js — FedRAMP + DORA in REPORT_FRAMEWORKS + FW_META
- All 41 data/entries/ regenerated with 20 frameworks
- 20 gap assessment reports (3 new: SP 800-218A, FedRAMP, DORA)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: emmanuelgjr

.github/workflows/sbom.yml

@@ -0,0 +1,48 @@
+name: SBOM Generation
+
+on:
+  push:
+    tags: ['v*']
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  sbom:
+    name: Generate CycloneDX SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm install --ignore-scripts
+
+      - name: Generate CycloneDX SBOM
+        uses: CycloneDX/gh-node-module-generatebom@v1
+        with:
+          output: sbom.cdx.json
+
+      - name: Generate content inventory SBOM
+        run: node scripts/sbom-inventory.js
+
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: |
+            sbom.cdx.json
+            sbom-content.cdx.json
+
+      - name: Attach SBOM to release
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          gh release upload "$TAG" sbom.cdx.json sbom-content.cdx.json --clobber

.gitignore

@@ -7,3 +7,6 @@ __pycache__/
 evals/results/
 reports/
 data/.watch-state.json
+dist/
+sbom.cdx.json
+sbom-content.cdx.json

CHANGELOG.md

@@ -9,7 +9,51 @@ Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
-Next: npm package `@owasp/genai-crosswalk` with TypeScript types, SBOM generation in CI, FedRAMP AI overlay + DORA framework additions.
+All items through v1.7.0 complete.
+
+---
+
+## [1.7.0] — 2026-03-28
+
+### Added
+
+#### Two new frameworks: FedRAMP AI overlay + DORA (frameworks 19 & 20)
+
+**FedRAMP** — US Federal Risk and Authorization Management Program AI overlay, extending SP 800-53 Rev 5 baseline:
+
+| File | Entries |
+|---|---|
+| `llm-top10/LLM_FedRAMP.md` | LLM01–LLM10 |
+| `agentic-top10/Agentic_FedRAMP.md` | ASI01–ASI10 |
+| `dsgai-2026/DSGAI_FedRAMP.md` | DSGAI01–DSGAI21 |
+
+**DORA** — EU Digital Operational Resilience Act (Regulation 2022/2554), mandatory for financial entities:
+
+| File | Entries |
+|---|---|
+| `llm-top10/LLM_DORA.md` | LLM01–LLM10 |
+| `agentic-top10/Agentic_DORA.md` | ASI01–ASI10 |
+| `dsgai-2026/DSGAI_DORA.md` | DSGAI01–DSGAI21 |
+
+#### npm package `@owasp/genai-crosswalk`
+
+- TypeScript types for all data structures (Entry, Incident, Mapping, MaestroLayer, etc.)
+- `src/index.ts` — typed API: `getEntry()`, `getFramework()`, `searchEntries()`, `getBySeverity()`, `getIncidentsForEntry()`, `getIncidentsByLayer()`
+- `src/index.test.ts` — 12 smoke tests using Node.js built-in test runner
+- `tsconfig.json`, `dist/` build output
+- `package.json` updated: `@owasp/genai-crosswalk`, `main: dist/index.js`, `types: dist/index.d.ts`
+
+#### SBOM generation
+
+- `.github/workflows/sbom.yml` — CycloneDX SBOM on every tag push, attached to GitHub Release
+- `scripts/sbom-inventory.js` — content-level SBOM of all crosswalk data assets (mapping files, entries, incidents)
+
+### Changed
+- `scripts/generate.js` — added SP 800-218A, FedRAMP, and DORA to FRAMEWORK_FILES catalog
+- `scripts/compliance-report.js` — added FedRAMP and DORA to REPORT_FRAMEWORKS + FW_META
+- `.gitignore` — added `dist/`, SBOM artifacts
+- Mapping file count: 61 → 67 (6 FedRAMP + DORA files)
+- Framework count: 18 → 20
 
 ---
 

README.md

@@ -2,12 +2,13 @@
 
 [![License: CC BY-SA 4.0](https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey.svg)](https://creativecommons.org/licenses/by-sa/4.0/)
 [![OWASP Lab](https://img.shields.io/badge/OWASP-GenAI%20Data%20Security-blue)](https://genai.owasp.org)
-[![Version](https://img.shields.io/badge/version-1.6.0-green)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-1.7.0-green)](CHANGELOG.md)
 [![Source Lists](https://img.shields.io/badge/source%20lists-3-blueviolet)](README.md)
-[![Mapping Files](https://img.shields.io/badge/mapping%20files-61-brightgreen)](README.md)
-[![Frameworks](https://img.shields.io/badge/frameworks-18-orange)](README.md)
+[![Mapping Files](https://img.shields.io/badge/mapping%20files-67-brightgreen)](README.md)
+[![Frameworks](https://img.shields.io/badge/frameworks-20-orange)](README.md)
+[![npm](https://img.shields.io/badge/npm-%40owasp%2Fgenai--crosswalk-red)](https://www.npmjs.com/package/@owasp/genai-crosswalk)
 
-> The most comprehensive publicly available mapping of OWASP GenAI security risks to industry frameworks — covering LLM applications, autonomous agentic AI, and GenAI data security across **18 frameworks** and **3 OWASP source lists**.
+> The most comprehensive publicly available mapping of OWASP GenAI security risks to industry frameworks — covering LLM applications, autonomous agentic AI, and GenAI data security across **20 frameworks** and **3 OWASP source lists**.
  
 Maintained by the [OWASP GenAI Data Security Initiative](https://genai.owasp.org).  
 Created by **[Emmanuel Guilherme Junior](https://github.com/emmanuelgjr)**.
@@ -21,8 +22,8 @@ Every file answers one question: **which controls from framework X address vulne
 | | |
 |---|---|
 | **3** source lists | LLM Top 10 · Agentic Top 10 · DSGAI 2026 |
-| **18** frameworks | Compliance · Governance · Threat modeling · Testing · OT/ICS · Identity · Secure SDLC |
-| **61** mapping files | Every source list entry × every applicable framework |
+| **20** frameworks | Compliance · Governance · Threat modeling · Testing · OT/ICS · Identity · Secure SDLC · Financial |
+| **67** mapping files | Every source list entry × every applicable framework |
 | **13** implementation recipes | Production-ready Python patterns |
 | **40+** open-source tools | Catalogued and organised by function |
 | **10** eval profiles | Runnable Garak + PyRIT tests mapped to OWASP entries |
@@ -66,12 +67,14 @@ All free. All open-source. Built for practitioners.
 | [AIUC-1](https://www.aiuc-1.com) | ✅ | ✅ | ✅ |
 | [OWASP NHI Top 10](https://owasp.org/www-project-non-human-identities-top-10/) | ✅ | ✅ | ✅ |
 | [NIST SP 800-218A](https://doi.org/10.6028/NIST.SP.800-218A.ipd) | ✅ | ✅ | ✅ |
+| [FedRAMP](https://www.fedramp.gov/) | ✅ | ✅ | ✅ |
+| [DORA (EU 2022/2554)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554) | ✅ | ✅ | ✅ |
 
 ---
 
 ## All mapping files
 
-### LLM Top 10 2025 — 21 framework mappings
+### LLM Top 10 2025 — 23 framework mappings
 
 | File | Framework | Standout content |
 |---|---|---|
@@ -96,8 +99,10 @@ All free. All open-source. Built for practitioners.
 | [LLM_AIUC1.md](llm-top10/LLM_AIUC1.md) | AIUC-1 | Six-domain control mapping for LLM deployments — certification readiness checklist |
 | [LLM_NHI.md](llm-top10/LLM_NHI.md) | OWASP NHI Top 10 | Credential and identity controls per LLM entry — NHI programme maturity table |
 | [LLM_SP800218A.md](llm-top10/LLM_SP800218A.md) | NIST SP 800-218A | Secure AI SDLC practices — PW/PS/RV practice mapping per LLM entry |
+| [LLM_FedRAMP.md](llm-top10/LLM_FedRAMP.md) | FedRAMP | SP 800-53 AI overlay — AC/AU/CA/CM/IA/IR/RA/SA/SC/SI/SR control families |
+| [LLM_DORA.md](llm-top10/LLM_DORA.md) | DORA | EU financial sector resilience — Art. 5–45 per LLM entry |
 
-### Agentic Top 10 2026 — 21 framework mappings
+### Agentic Top 10 2026 — 23 framework mappings
 
 | File | Framework | Standout content |
 |---|---|---|
@@ -121,10 +126,12 @@ All free. All open-source. Built for practitioners.
 | [Agentic_SAMM.md](agentic-top10/Agentic_SAMM.md) | OWASP SAMM v2.0 | L1–L3 maturity scorecard for agentic AI — pre-deployment gates and programme maturity roadmap |
 | [Agentic_NISTSP80082.md](agentic-top10/Agentic_NISTSP80082.md) | NIST SP 800-82 Rev 3 | OT agent placement, SP 800-53 controls, U.S. regulatory crosswalk (NERC CIP, AWIA, CMMC) |
 | [Agentic_SP800218A.md](agentic-top10/Agentic_SP800218A.md) | NIST SP 800-218A | Secure agentic SDLC — tool access, memory integrity, multi-agent pipeline practices |
+| [Agentic_FedRAMP.md](agentic-top10/Agentic_FedRAMP.md) | FedRAMP | Federal agentic AI authorization — agent identity, tool access, cascade controls |
+| [Agentic_DORA.md](agentic-top10/Agentic_DORA.md) | DORA | Financial sector agentic resilience — incident reporting, third-party agent risk |
 
 > **Also in this folder:** [Agentic_CWE_CVE.md](agentic-top10/Agentic_CWE_CVE.md) — CWE root cause taxonomy, confirmed CVEs, full CWE cross-reference index.
 
-### DSGAI 2026 — 19 framework mappings
+### DSGAI 2026 — 21 framework mappings
 
 | File | Framework | Standout content |
 |---|---|---|
@@ -147,6 +154,8 @@ All free. All open-source. Built for practitioners.
 | [DSGAI_AIUC1.md](dsgai-2026/DSGAI_AIUC1.md) | AIUC-1 | Domain A (Data & Privacy) covers 50%+ of DSGAI entries — certification readiness table |
 | [DSGAI_NHI.md](dsgai-2026/DSGAI_NHI.md) | OWASP NHI Top 10 | NHI as enabling condition for DSGAI risks — NHI programme maturity table for GenAI data |
 | [DSGAI_SP800218A.md](dsgai-2026/DSGAI_SP800218A.md) | NIST SP 800-218A | Secure GenAI data SDLC — training data protection, data governance, provenance practices |
+| [DSGAI_FedRAMP.md](dsgai-2026/DSGAI_FedRAMP.md) | FedRAMP | Federal data security controls — SC-28 data at rest, AU-2 logging, SR supply chain |
+| [DSGAI_DORA.md](dsgai-2026/DSGAI_DORA.md) | DORA | Financial data resilience — Art. 8 asset inventory, Art. 12 backup, Art. 28-44 vendor risk |
 
 ### Shared resources
 
@@ -345,6 +354,23 @@ node scripts/watch.js --watcher arxiv  # run single watcher
 
 Weekly GitHub Actions cron (`.github/workflows/weekly-watch.yml`) runs all 4 watchers and opens labeled issues automatically.
 
+### npm package
+
+```bash
+npm install @owasp/genai-crosswalk
+```
+
+```typescript
+import { getEntry, getFramework, searchEntries, incidents } from '@owasp/genai-crosswalk';
+
+const llm01 = getEntry('LLM01');        // typed Entry object
+const euai  = getFramework('EU AI Act'); // { framework, entries, controls }
+const hits  = searchEntries('injection');  // Entry[]
+const incs  = incidents;                   // 31 Incident[] with MAESTRO layers
+```
+
+Full TypeScript types included for all data structures.
+
 ---
 
 ## Start here — by role