C5-DEC, short for "Common Criteria for Cybersecurity, Cryptography, Clouds – Design, Evaluation and Certification", is a sub-project of the CyFORT project, which in turn stands for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience", carried out in the context of the IPCEI-CIS project.
C5-DEC CAD is the software component of C5-DEC: an AI-enabled toolkit for secure system design, development, and evaluation across CLI/TUI/GUI and VS Code. It combines CCT, SSDLC with SpecEngine and DocEngine, CRA, SBOM, CPSSA, cryptography, and project management in one traceable, open-format (Markdown/YAML) workflow.
This repository contains the C5-DEC CAD source code plus full documentation, including requirements, design artifacts, the user manual, and test specifications/reports; live traceability is published on the technical specification web site.
For a visual stakeholder-oriented tour of C5-DEC CAD, visit the product presentation page.
- Overview
- Features
- User manual
- Technical specifications
- Prerequisites
- Getting started
- Usage
- Changelog
- Contributing
- License
- Contact
C5-DEC CAD assists system/software designers, developers, testers and security analysts with building and evaluating secure software systems. It integrates SSDLC, SVV, and CPSSA within the Common Criteria framework, providing full artifact traceability across the entire development life cycle, along with cryptographic checks, threat modelling, quantitative risk analysis, Cyber Resilience Act (CRA) compliance support, and SBOM lifecycle management. Its DocEngine, built on Quarto with custom LaTeX enhancements and pre/post-render scripting, enables smart document authoring, scientific and technical publishing across report, presentation, and CRA technical documentation templates.
C5-DEC ships two complementary knowledge bases:
- CC concept wiki: A structured reference of 50+ articles organized across four areas: CC Concepts, Core Constructs, Certification Schemes, Terms & Definitions;
- SSDLC, SVV, and CPSSA methodology reports: Structured guidance covering the full software development life cycle, software verification and validation, and cyber-physical system security assessment. Parts rely on ISO standards (ISO/IEC/IEEE 12207, ISO 29119:2022, ISO 29148:2018); contact us at info@abstractionslab.lu with proof of eligibility to receive access.
- A command-line interface (CLI) for efficient user interactions and scripting automation;
- A user-friendly graphical user interface (GUI), powered by Flask and Bootstrap;
- A rich textual user interface (TUI), powered by asciimatics;
- A VS Code-optimized workbench with preloaded extensions and
devcontainerconfigurations preinstalled in the C5-DEC dev containers (CAD, DocEngine, PQC-OpenSSL); - Straightforward integration with Dev(Sec)Ops platforms (GitHub, GitLab);
- Containerized development and deployment.
- New C5-DEC project scaffolding (
c5dec new): containerized repository with dependencies, templates, DocEngine, SpecEngine, and Doorstop-based traceability, with an AI-enabled approach for generating requirements, test cases, and technical reports; - DocEngine (
c5dec docengine): Quarto-based publishing pipeline with LaTeX customizations and pre/post-render scripts; scaffolds three template types —report,presentation(Reveal.js and PowerPoint with ALab branding), andcra-tech-doc(CRA Annex VII technical documentation); - Transformer: document transformation and format conversion using Doorstop, Quarto, pandoc, and organize;
- SpecEngine toolkit for specification management following the C5-DEC method:
c5graph.py(interactive Cytoscape.js traceability graph with dagre layout, expand/collapse, color-coded coverage),c5mermaid.py(Mermaid-to-SVG/PNG pre-processor with undo and dry-run, integrated intopublish.sh),c5browser.py(standalone Bootstrap + DataTables HTML browser for Doorstop items with sortable/filterable per-document-type tables),c5traceability.py(configurable traceability matrix statistics with console and HTML report output, auto-discovery of document trees from.doorstop.ymlfiles),prune_bad_links.py(Doorstop link pruning), anddoorstop_yml_to_md.py(YAML-to-Markdown item migration); - A KB element dedicated to software verification and validation (SVV).
A view of the C5-DEC CAD specification browser:
A view of the C5-DEC CAD specification graph:
A view of the C5-DEC CAD traceability statistics:
A comprehensive Common Criteria Toolbox (CCT) covering:
- Full CC database of Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs), with an OOP model serialized in Markdown and YAML with Doorstop traceability;
- CEM evaluation checklist creation and export to spreadsheet format;
- ETR document part generation from C5-DEC checklist spreadsheets and a DocEngine-backed ETR generation pipeline;
- A structured CC concept wiki with 50+ articles covering CC Concepts (TOE and its components, Security Problem Definition, Security Objectives, SFRs/SARs and their four operations, Evaluation Assurance Levels, attack potential, evaluation evidence), Core Constructs (Security Target, Protection Profile, PP-Module, PP-Configuration, ETR, Observation Report), the EUCC certification scheme, and a Terms & Definitions register.
A comprehensive CRA compliance module supporting EU Regulation (EU) 2024/2847:
- Essential requirements checklist (Annex I, Parts I & II) with Doorstop integration, pass/fail/na verdict tracking, and Excel export with per-category compliance percentages;
- CRA Technical Documentation generator (Annex VII, seven chapters) and EU Declaration of Conformity generator (Annex V); also available as
c5dec docengine cra-tech-doc; - SBOM lifecycle management (
c5dec sbom) with Syft integration (CycloneDX and SPDX), generation, parsing, validation, version diff, Doorstop traceability, and automated CRA requirement cross-verification; - Support for Default, Class I, Class II, and Critical CRA product risk classes.
A fully integrated CPSSA module (c5dec cpssa) with five subcommands:
create-threat-model— generates Threagile-compatible YAML threat models from Doorstop SRS/ARC artifacts with auto-discovery and sidecar YAML support (threat-actors.yml,assumptions.yml);generate-report— produces STRIDE-based CPSSA Markdown reports from a threat model;generate-dfd— generates PlantUML Data Flow Diagrams from Doorstop ARC items;fair-input— creates a FAIR parameters template YAML from a threat model;risk-analysis— runs FAIR-based Monte Carlo quantitative risk analysis using pyfair with PERT distribution support and--fair-paramsYAML override.
A water-treatment worked example is included in c5dec/core/cpssa/examples/water-treatment/. The CPSSA methodology is described in the C5-DEC KB.
- A native Python cryptography module exposed via
c5dec cryptowith 11 subcommands:hash,verify-hash,sign,verify-sig,encrypt,decrypt,shamir-split,shamir-recover,nacl-keygen,nacl-sign,nacl-verify; - Covers SHA-256 file integrity, GnuPG signing and encryption, Shamir's Secret Sharing over GF(2¹²⁷−1), and NaCl Ed25519 digital signatures;
- Containerized deployment of GnuPG, Kryptor, and Cryptomator CLI;
- A dedicated dev container with the OQS-OpenSSL provider for post-quantum cryptography.
C5-DEC CAD is designed from the ground up to be AI-friendly (more precisely, LLM-assisted). All artifacts — requirements, design elements, test cases, architecture items, and technical reports — use open text formats (Markdown, YAML, Quarto), making them machine-parseable without conversion. LLMs can work across the full specification tree in both conversational and agent mode:
- Open-format artifact corpus: Every requirement, design item, test case, traceability link, and knowledge base article is stored as plain Markdown or YAML. There is no proprietary binary format to decode and no export step needed — an LLM has direct read and write access to the complete artifact set.
- Structured, domain-organized knowledge base: The CC concept wiki, SSDLC methodology, SVV model, and CPSSA guidance are written as structured Markdown documents organized by module. This gives LLMs authoritative, project-specific context for each functional area (CCT, CRA, CPSSA, DocEngine, SpecEngine, cryptography, project management) without relying on generic training data.
- Doorstop-backed traceability: The specification tree (MRS → SRS → SWD → TCS → TRP) provides explicit, navigable links between requirements, design decisions, and test cases. An LLM can follow the traceability graph forward or backward to perform gap analysis, consistency checking, or coverage assessment with precision.
- Modular, task-aligned architecture: Each C5-DEC module (CCT, SSDLC, CRA, CPSSA, SBOM, cryptography, PM) is independently documented and implemented, making it straightforward to scope AI assistance to a specific domain — Common Criteria component selection, threat modelling, CRA compliance, test authoring, or report generation — without requiring broad context.
- Workflow-oriented structure: C5-DEC workflows follow well-defined, repeatable procedures (new project bootstrapping, release cycle management, CRA compliance, CPSSA engagement, DocEngine publishing). The procedural nature of these workflows makes them well-suited to step-by-step AI-guided execution.
See the AI-enabled design and specification section of the user manual for a detailed description of the approach.
- OpenProject time report processing and conversion to custom formats;
- Time sheet consolidation and detailed resource and cost computation;
- Project management approach based on the HERMES method documented in the C5-DEC KB.
See the C5-DEC CAD user manual for installation, setup, and module-by-module usage guidance.
The technical specifications of C5-DEC CAD are published to HTML via the publish.sh script in docs/specs/, backed by the SpecEngine toolchain. View them on our traceability page.
| Requirement | Docker + shell scripts | VS Code dev container |
|---|---|---|
| Docker Engine | Required | — |
| Docker Desktop | — | Required |
| Visual Studio Code | — | Required |
| Dev Containers extension | — | Required |
| Git | Recommended | Required (for cloning) |
No local Python installation is needed — all Python dependencies are managed inside the Docker container.
Note on pre-release dependencies: two runtime dependencies are pre-release upstream:
doorstop 3.0b10(beta) andpyfair 0.1a13(alpha). No stable releases exist for these packages at the time of this release.
C5-DEC CAD supports two deployment models; see the installation page for full details.
Install Docker engine, clone or unzip the repository, make the scripts executable (chmod +x *.sh), build the image with ./build-c5dec.sh, and run ./c5dec.sh. This model covers all CLI commands and is best suited for CCT, PM, CRA, and CPSSA workflows.
Install Docker Desktop, VS Code, and the Dev Containers extension. Clone the repository, open it in VS Code, and select "Reopen in Container". Three container configurations are available:
| Container | Contents | Best for |
|---|---|---|
C5-DEC CAD dev container |
CLI, TUI, GUI, CCT, CRA, SBOM, CPSSA, cryptography | General use and development |
C5-DEC DocEngine dev container |
CAD dev container plus Quarto, TeX Live, Kryptor, Cryptomator CLI |
Report and document publishing |
C5-DEC CAD cryptography dev container |
OpenSSL, OQS-OpenSSL provider | Post-quantum cryptography |
Once inside the container, activate the poetry environment with poetry shell and run c5dec -h.
C5-DEC CAD exposes two entry points depending on the deployment model:
./c5dec.sh <command>— used with the Docker + shell scripts model. The runner script wraps the container invocation so no Poetry or Python setup is needed on the host.c5dec <command>— used inside the VS Code dev container after activating the Poetry environment (poetry shell). Provides the full feature set including DocEngine, Transformer, and advanced SSDLC workflows.
The TUI and GUI are launched with the -t and -g flags respectively. An interactive session mode (c5dec.sh session <workspace>) is available for Transformer and cryptography workflows; a PQC entrypoint (c5dec.sh pqc) opens the OQS-OpenSSL container.
| Interface | Launch command | Description |
|---|---|---|
| CLI | ./c5dec.sh or c5dec -h |
Primary interface; full command set |
| TUI | ./c5dec.sh -t |
Interactive terminal UI |
| GUI | ./c5dec.sh -g |
Web UI at 127.0.0.1:5432 |
| VS Code dev container | Reopen in container | Full workbench with preloaded extensions; choose CAD, DocEngine, or PQC-OpenSSL container |
./c5dec.shThis would display the help menu of the CLI, as shown below. You can then choose one of the available subcommands to execute the desired operation.
You can launch the TUI using the -t flag.
./c5dec.sh -tThis would launch the TUI and start with the module selection menu, as shown below.
./c5dec.sh -gThis would launch the GUI, as shown below, starting a web server that listens on port 5432 on the local host, meaning that you can access the application by pointing your browser to 127.0.0.1:5432.
Finally, you can access the optimized VS Code dev containers via the "Reopen in container" feature
and use the customized workbench for development:
See the quick start page for the full list of runner options and first-run examples, and the user manual for per-module command references.
See CHANGELOG.md for a full history of releases and changes.
Contributions are welcome. Please read CONTRIBUTING.md for branching conventions, commit message guidelines, how to run the test suite, and documentation standards before opening a pull request. To report a security vulnerability, follow the process described in SECURITY.md.
Copyright (c) itrust Abstractions Lab and itrust consulting. All rights reserved.
Licensed under the GNU Affero General Public License (AGPL) v3.0 license.
The creation of the C5-DEC software tools and its knowledge base is co-funded by the Ministry of the Economy of Luxembourg, in the context of the CyFORT project.
If you wish to learn more about the project, feel free to contact us at Abstractions Lab: info@abstractionslab.lu