Every framework, declared honestly.
Pick the regimes your repository answers to. Watchdog evidences the automatable slice, gates what it caught failing, and a named human declares the rest. Every framework shows the three-way split — tool-evidenced, evidence-assisted, and human attestation — before you enable a thing.
Each framework is Automatic / On / Off per repository.
Ten frameworks, one honest pattern.
Each framework is a catalog of controls plus what Watchdog can evidence. The failure-gate, the self-assessment lifecycle, the signed artifact and the optional contract clause are identical for all — only the catalog and the regulation change.
WCAG 2.2
The web accessibility standard (AA). Static checks tool-evidence what they can; a sandboxed rendered-axe pass adds runtime evidence; a human judges meaning — alt-text equivalence, clear errors.
The ACR page →EN 301 549
The EU procurement accessibility standard the EAA points at — web plus non-web clauses. Web maps to WCAG; the non-web slices are disclosed as human attestation.
The ACR page →NIS2
The EU network-and-information-security directive. Watchdog tool-evidences the technical slice — CVEs, secrets, supply-chain trail; governance and incident handling are organizational and stay human-declared.
DORA
Digital operational resilience for the EU financial sector — ICT risk and supplier oversight. Scheduled scans and the SBOM feed the evidence; the resilience programme is a human declaration.
CRA
The EU Cyber Resilience Act for products with digital elements. The SBOM, CVE and secrets trail is the automatable slice CRA asks about; conformity claims stay with the manufacturer.
GDPR (technical)
The technical slice of GDPR — PII in code and config, data-flow signals, crypto posture. Lawfulness and process are organizational and stay human-declared.
OWASP ASVS
The application-security verification standard. SAST posture, secrets, injection guards tool-evidence part; architecture and design controls are evidence-assisted or human.
SLSA
Supply-chain levels for software artifacts. Build-provenance and dependency signals tool-evidence a slice; the rest of the chain is declared.
SSDF
NIST's secure software development framework. Process-heavy: Watchdog evidences the code-visible practices; the organizational practices are attested by a named person.
ISO 27001 (evidence)
Evidence toward an ISMS — the code-and-pipeline slice only. Watchdog never claims certification; it assembles what a machine can stand behind.
Self-assess any framework on any plan. Signing & exporting the tamper-evident artifact is part of the compliance module — sold on Assay.
Enable what you need.
Each framework is Automatic / On / Off per repository · Sign in with GitHub · no card.