Project Structure¶
After running ges init, the following structure is created in your project:
your-project/
├── .ges/
│ ├── config.yaml # Human-readable project configuration
│ ├── config.json # Machine-readable project configuration
│ ├── metadata.json # Project metadata and timestamps
│ ├── score.json # Compliance scores (updated by ges audit)
│ └── framework-version.json # Policy pack version tracking
│
├── compliance/
│ ├── gdpr.md # GDPR compliance tracker
│ ├── data-inventory.md # Data inventory template
│ ├── retention-policy.md # Data retention policy
│ ├── processing-records.md # Article 30 processing records
│ ├── risk-register.md # Risk register template
│ ├── access-control-matrix.md # RBAC matrix
│ └── privacy-impact-assessment.md # Privacy impact assessment
│
├── security/
│ ├── threat-model.md # STRIDE threat model
│ ├── key-management.md # Key management policy
│ ├── logging-policy.md # Logging standards
│ ├── backup-policy.md # Backup procedures
│ ├── incident-response.md # Incident response plan
│ ├── disaster-recovery.md # Disaster recovery plan
│ └── encryption-standard.md # Approved encryption algorithms
│
├── controls/
│ ├── gdpr/controls.json # GDPR control definitions
│ ├── owasp/controls.json # OWASP control definitions
│ ├── cis/controls.json # CIS control definitions
│ └── nist/controls.json # NIST control definitions
│
├── policies/ # Policy definitions
├── checklists/ # Compliance checklists
├── docs/ # Additional documentation
├── reports/ # Generated reports (output directory)
│
└── .github/
└── workflows/
├── compliance.yml # Compliance check workflow
├── security.yml # Security scan workflow
├── dependency-scan.yml # Dependency vulnerability scan
├── secret-scan.yml # Secret detection workflow
└── sbom-scan.yml # SBOM generation and vulnerability scan
Directory Purposes¶
| Directory | Created by | Updated by | Git Track |
|---|---|---|---|
.ges/ |
ges init |
ges audit, ges score |
Optional |
compliance/ |
ges init |
ges generate --docs |
Yes |
security/ |
ges init |
ges generate --docs |
Yes |
controls/ |
ges init |
ges policy install/remove |
Yes |
policies/ |
ges init |
Manual | Yes |
checklists/ |
ges init |
Manual | Yes |
docs/ |
ges init |
Manual | Yes |
reports/ |
ges report |
ges report |
No |
.dev-logs/ |
ges init |
AI assistants via MCP | No (gitignored) |
.github/workflows/ |
ges init |
ges generate --workflows |
Yes |
What to Commit¶
Always commit:
compliance/— Compliance documents for audit trailsecurity/— Security policiescontrols/— Control definitions.github/workflows/— CI/CD enforcement
Optional:
.ges/— Commit if you want score history in git; add to.gitignoreif you want local-only scores
Never commit:
reports/— Generated output, add to.gitignore.dev-logs/— Developer logs and AI recommendations, gitignored by default
Language-Agnostic¶
GESF works with any programming language. The project structure above is the same regardless of whether your codebase is Node.js, Python, Rust, Go, Java, Ruby, PHP, or .NET. The ges scan command auto-detects your ecosystem from lockfiles and runs the matching dependency auditor.