Skip to content

Commit

Permalink
feat: sync_cac_content command and task CPLYTM-437 for OSCAL Profiles…
Browse files Browse the repository at this point in the history 
… sorted by level

This commit specifically addresses CPLYTM-437 - creating a base level
skeleton to match control ids with profiles. This commit includes the
initial setup work for the SyncCacContentProfile task and the
`sync_cac_content_profile` CLI command. The merged commits from
trestle-bot complytime:main haven't been altered, but are included from rebasing commits. The original merged commit messages from complytime:main of trestle-bot are listed below for reference.

docs: applying suggestions from code review for authoring CI workflows

Co-authored-by: Jennifer Power <[email protected]>

fix: run the paths-filter step in its own job (complytime#370)

Signed-off-by: Jennifer Power <[email protected]>

build(deps-dev): bump mkdocs-material from 9.5.37 to 9.5.43 (complytime#377)

Bumps [mkdocs-material](https://github.com/squidfunk/mkdocs-material) from 9.5.37 to 9.5.43.
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](squidfunk/mkdocs-material@9.5.37...9.5.43)

---
updated-dependencies:
- dependency-name: mkdocs-material
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

build(deps-dev): bump virtualenv from 20.26.5 to 20.27.1 (complytime#379)

Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.5 to 20.27.1.
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@20.26.5...20.27.1)

---
updated-dependencies:
- dependency-name: virtualenv
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

build(deps): bump argcomplete from 3.5.0 to 3.5.1 (complytime#371)

Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.5.0 to 3.5.1.
- [Release notes](https://github.com/kislyuk/argcomplete/releases)
- [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst)
- [Commits](kislyuk/argcomplete@v3.5.0...v3.5.1)

---
updated-dependencies:
- dependency-name: argcomplete
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

build(deps): bump httpcore from 1.0.5 to 1.0.6 (complytime#373)

Bumps [httpcore](https://github.com/encode/httpcore) from 1.0.5 to 1.0.6.
- [Release notes](https://github.com/encode/httpcore/releases)
- [Changelog](https://github.com/encode/httpcore/blob/master/CHANGELOG.md)
- [Commits](encode/httpcore@1.0.5...1.0.6)

---
updated-dependencies:
- dependency-name: httpcore
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

docs: add authoring tutorial (complytime#375)

* docs: add authoring tutorial

* docs: fix typos and add statement around pull request best practices

chore: add openssf scorecard workflow (complytime#359)

Signed-off-by: Jennifer Power <[email protected]>

build(deps): bump compliance-trestle from 3.4.0 to 3.5.0 (complytime#380)

Bumps [compliance-trestle](https://github.com/oscal-compass/compliance-trestle) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/oscal-compass/compliance-trestle/releases)
- [Changelog](https://github.com/oscal-compass/compliance-trestle/blob/develop/CHANGELOG.md)
- [Commits](oscal-compass/compliance-trestle@v3.4.0...v3.5.0)

---
updated-dependencies:
- dependency-name: compliance-trestle
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

docs: adr-001 cli implementation (complytime#347)

* docs: adding draft of CLI decision record

* docs: adding details around config file

* docs: refactor wording for clarity

* docs: update config example

* expand content for default behaviors around oscal-model

feat: 295 monorepo directory structure design proposal (complytime#389)

* initial directory structure organization

* feat: initial work on config and common options

* chore: add openssf scorecard workflow (complytime#359)

Signed-off-by: Jennifer Power <[email protected]>

* build(deps): bump compliance-trestle from 3.4.0 to 3.5.0 (complytime#380)

Bumps [compliance-trestle](https://github.com/oscal-compass/compliance-trestle) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/oscal-compass/compliance-trestle/releases)
- [Changelog](https://github.com/oscal-compass/compliance-trestle/blob/develop/CHANGELOG.md)
- [Commits](oscal-compass/compliance-trestle@v3.4.0...v3.5.0)

---
updated-dependencies:
- dependency-name: compliance-trestle
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: adds logic to load yaml config into click context to set defautl values.  improves config error handling.

* feat: adds debug logging statements

* feat: add markdown directory creation and call to compliance trestle init

* feat: simplify directory creation and better error handling for invalid configs

* feat: initial work on autosync

* Initial create command for click cli

* Initial create command for click cli

* adding unit test for config module

* adding unit test for config module

* Update autosync command

* Update autosync command

* feat: add ssp index option

* feat: add ssp index option

* add unit tests for init command

* add unit tests for init command

* feat: root call create and logging replacement

* feat: root call create and logging replacement

* feat: add upstream commands, fix common options decorators, expand config

* feat: add upstream commands, fix common options decorators, expand config

* Update autosync options and add tests

* Update autosync options and add tests

* docs: adr-001 cli implementation (complytime#347)

* docs: adding draft of CLI decision record

* docs: adding details around config file

* docs: refactor wording for clarity

* docs: update config example

* expand content for default behaviors around oscal-model

* feat: add logic to make_config for nested upstream model and update related tests

* feat: add logic to make_config for nested upstream model and update related tests

* feat: create command logic for compdef and ssp

* feat: create command logic for compdef and ssp

* feat: create command updates to prompts and logger messages

* feat: create command updates to prompts and logger messages

* feat: add default git info to init prompts and config

* feat: add default git info to init prompts and config

* fix hidden keep file creation

* fix hidden keep file creation

* Add rule-transform command and unit test

* Add rule-transform command and unit test

* feat: create command logic and adding unit tests

* feat: create command logic and adding unit tests

* Fix AttributeError, some misc updates

AttributeError: 'NoneType' object has no attribute 'encode'

* Fix AttributeError, some misc updates

AttributeError: 'NoneType' object has no attribute 'encode'

* feat: unit tests added for create command

* feat: unit tests added for create command

* refactor sync upstreams and autosync to match existing entrypoint syntax

* refactor sync upstreams and autosync to match existing entrypoint syntax

* Fix AttributeError, some misc updates

AttributeError: 'NoneType' object has no attribute 'encode'

* Fix AttributeError, some misc updates

AttributeError: 'NoneType' object has no attribute 'encode'

* feat: unit tests added for create command

* feat: unit tests added for create command

* fix: docstrings added for create command unit tests

* fix: docstrings added for create command unit tests

* add file pattern filter

* add file pattern filter

* fix: updated headers with license and copyright

* fix: updated headers with license and copyright

* fix: updated logger statements

* fix: updated logger statements

* fix: logger statements shortened

* fix: logger statements shortened

* fix: yaml default deletion

* fix: yaml default deletion

* docs: updates to reference the CLI commands in the README.md

* docs: updates to reference the CLI commands in the README.md

* feat: update for required ssp name

* feat: update for required ssp name

* Update trestlebot/cli/commands/init.py

Co-authored-by: Jennifer Power <[email protected]>

* Update trestlebot/cli/commands/init.py

Co-authored-by: Jennifer Power <[email protected]>

* Update trestlebot/cli/commands/init.py

Co-authored-by: Jennifer Power <[email protected]>

* Update trestlebot/cli/commands/init.py

Co-authored-by: Jennifer Power <[email protected]>

* fix typo in error msg

* fix typo in error msg

* fix help text for sync upstreams

* fix help text for sync upstreams

* fix: update for help text and testing location errors

* fix: update for help text and testing location errors

* fix: update for clarity on profile name for trestle workspace

* fix: update for clarity on profile name for trestle workspace

* Fix AssertionError, add missing register

* Fix AssertionError, add missing register

* fix: profile name prompting update

* fix: profile name prompting update

* feat: updating compdef list to required

* feat: updating compdef list to required

* docs: change of verbiage for readability

* docs: change of verbiage for readability

* docs: change to indicate trestle-bot as a cli tool

* docs: change to indicate trestle-bot as a cli tool

* feat: change to help description of create command

* feat: change to help description of create command

* docs: added high level folder structure for cli

* docs: added high level folder structure for cli

* fix: default value returned if no key in dictionary

* fix: default value returned if no key in dictionary

* feat: align skip-item option to skip-items

* feat: align skip-item option to skip-items

* fix: add missing git options in create command

* fix: add missing git options in create command

* fix: refactor testt and remove prompts

* fix: refactor testt and remove prompts

* fix: formatting issues and typos

* fix: formatting issues and typos

* chore: update poetry lock with latest dependencies

Signed-off-by: George Vauter <[email protected]>

* chore: update poetry lock with latest dependencies

Signed-off-by: George Vauter <[email protected]>

* fix: do not overwrite config path if set

Signed-off-by: George Vauter <[email protected]>

* fix: do not overwrite config path if set

Signed-off-by: George Vauter <[email protected]>

* fix: do not overwrite config path if set

Signed-off-by: George Vauter <[email protected]>

* fix: do not overwrite config path if set

Signed-off-by: George Vauter <[email protected]>

---------

Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: George Vauter <[email protected]>
Co-authored-by: Hannah Braswell <[email protected]>
Co-authored-by: Jennifer Power <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Qingmin Duanmu <[email protected]>

feat: initialize command for cac to oscal transformation

chore: update pyproject.toml entrypoints to cli root command

chore: update actions with new cli design

docs: update CONTRIBUTING.md

chore: update actions for debug and config options

chore: rename rule-transform to rules-transform

fix: update e2e test to use new commands

fix: update create command for e2e testing

Changes made to  use compdef_name reference instead of profile_name for model filter

fix: a typo in autosync command

fix: sys.exit with errorcode when exceptions

fix: fix a typo in cli root

feat: populate cac content product name as component title

Signed-off-by: Sophia Wang <[email protected]>

Add unitest for populate cac product nameto component title

Signed-off-by: Sophia Wang <[email protected]>

Move the ssg connections from utils to cac transformer

Signed-off-by: Sophia Wang <[email protected]>

Add function to only update not recreate component definition if it exists

Signed-off-by: Sophia Wang <[email protected]>

Update the component description as the product full name

Signed-off-by: Sophia Wang <[email protected]>

add the sync cac content task to push local change to remote

Signed-off-by: Sophia Wang <[email protected]>

chore: allow lower case in PR subject (complytime#406)

Signed-off-by: George Vauter <[email protected]>

feat: add cac content rules transformation

feat: CPLYTM-421 create validation component from rules

Signed-off-by: Sophia Wang <[email protected]>

chore: add notice regarding repo org move (complytime#413)

Signed-off-by: George Vauter <[email protected]>

chore: update SyncCacContentTask

feat: add unit test for validation component

Signed-off-by: Sophia Wang <[email protected]>

:arrow_up: bump actions/download-artifact from 4.1.7 to 4.1.8

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.7 to 4.1.8.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@65a9edc...fa0a91b)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

build(deps): bump actions/upload-artifact from 4.3.4 to 4.6.0

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.4 to 4.6.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@0b2256b...65c4c4a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

feat: sync cac content profile task and subcommand

Add create_or_update to AuthoredProfile

Signed-off-by: Jennifer Power <[email protected]>

test: adds tests and updates to sync_cac_profile_task

Signed-off-by: Jennifer Power <[email protected]>

feat: sync cac content profile task and subcommand

fix: updating the cac_content_root type to pass a string

fix: fixes linting errors for sync_cac_content_profile task

Signed-off-by: Jennifer Power <[email protected]>

feat: sync cac content profile task and subcommand

feat: sync cac content profile task and subcommand

feat: testing repo passed before content dir

feat: testing repo passed before content dir

fix: unit tests in pycharm

PyCharm sets the CWD of unit tests to the tests directory by default,
but the unit tests assume a CWD of the repo root. This updates the unit
tests not to rely on the assumption of CWD

Signed-off-by: d10n <[email protected]>

feat: testing with catalog path extension

feat: testing for metadata checks

feat: testing for oscal profile imports

fix: testing oscal profile populated in correct path

fix: testing oscal profile populated in correct path

fix: testing oscal profile populated in correct path

fix: testing oscal profile populated in correct path

fix: testing oscal profile populated in correct path

fix: testing oscal profile populated in correct path

fix: pinpointing existing error 2

fix: pinpointing error by not including a default for filter_by_level

fix: pinpointing error by not including a default for filter_by_level

fix: pinpointing error by not including a default for filter_by_level

fix: pinpointing error by not including a default for filter_by_level

fix: pinpointing error by not including a default for filter_by_level

fix: pinpointing error by not including a default for filter_by_level

fix: pinpointing error by not including a default for filter_by_level

fix: pinpointing error by not including a default for filter_by_level

fix: adding command to root

fix: adding modelutils handler for getting the correct catalog path

fix: adding modelutils handler for getting the correct catalog path

fix: taking catalog kwargs as part of path for profile data

fix: taking catalog kwargs as part of path for profile data

fix: taking catalog kwargs as part of path for profile data

fix: taking catalog kwargs as part of path for profile data

feat: updates for unit testing for sync_cac_content_profile command

feat: add parameter transformation

feat: update poetry.lock and add jinja macros

fix: improve the validation components with parameters

Signed-off-by: Sophia Wang <[email protected]>

fix: fix test failure in validation component

feat: update rule description value with rule title

chore: create a minimalist macro file for unit tests

This file contains only the necessary macros used by rules in the
content_dir directory.

Signed-off-by: Marcus Burghardt <[email protected]>

chore: remove macros not relevant for current tests

This keeps the test content simpler and smaller.

Signed-off-by: Marcus Burghardt <[email protected]>
  • Loading branch information
@hbraswelrh
hbraswelrh committed Jan 21, 2025
1 parent 469fbe8 commit 154f9f3
Show file tree
Hide file tree
Showing 67 changed files with 5,033 additions and 771 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/codecov.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
run: make test-code-cov

- name: Upload artifact
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # pin@v4
with:
name: coverage
path: coverage.xml
Expand All @@ -39,7 +39,7 @@ jobs:
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Get coverage
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # pin@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin@v4
with:
name: coverage
- name: SonarCloud Scan
Expand Down
49 changes: 49 additions & 0 deletions .github/workflows/scorecard.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Scorecard analysis workflow
on:
push:
# Only the default branch is supported.
branches:
- main
schedule:
# Weekly on Saturdays.
- cron: '30 1 * * 6'

permissions: read-all

jobs:
analysis:
if: github.repository == 'RedHatProductSecurity/trestle-bot'
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed for Code scanning upload
security-events: write
# Needed for GitHub OIDC token if publish_results is true
id-token: write

steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
with:
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: Upload artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # pin@v4
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
with:
sarif_file: results.sarif
36 changes: 25 additions & 11 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Before you start contributing, please take a moment to read through the guide be
- [Documentation](#documentation)
- [Architecture Decisions](#architecture-decisions)
- [Update the `actions` files](#update-the-actions-files)
- [Authoring CI Workflows](#authoring-ci-workflows)
- [License Text in Files](#license-text-in-files)
- [Tools](#tools)
- [Format and Styling](#format-and-styling)
Expand Down Expand Up @@ -72,7 +73,9 @@ For workflow diagrams, see the [diagrams](./docs/workflows/) under the `docs` fo
#### Code structure

- `actions` - Provides specific logic for `trestle-bot` tasks that are packaged as Actions. See [README.md](./actions/README.md) for more information.
- `entrypoints` - Provides top level logic for specific user-facing tasks. These tasks are not necessarily related in any way so they are not organized into a hierarchical command structure, but they do inherit logic and flags from a base class.
- `cli` - Provides top level logic for specific user-facing tasks. These tasks are not necessarily related so they are not organized into a hierarchical command structure, but they do share some common modules.
- `cli/commands` - Provides top level logic for commands and their associated subcommands. The commands are accessed by the single entrypoint `root.py`.
- `cli/options` - Provides command line options and arguments that are frequently used within `cli/commands`.
- `provider.py, github.py, and gitlab.py` - Git provider abstract class and concrete implementations for interacting with the API.
- `tasks` - Pre-tasks can be configured before the main git logic is run. Any task that does workspace management should go here.
- `tasks/authored` - The `authored` package contains logic for managing authoring tasks for single instances of a top-level OSCAL model. These encapsulate logic from the `compliance-trestle` library and allows loose coupling between `tasks` and `authored` types.
Expand All @@ -97,6 +100,17 @@ Each `README.md` under the `actions` directory have an Actions Inputs and Action
make update-action-readmes
```

#### Authoring CI Workflows

The CI workflows for trestle-bot leverage third party actions pinned to a hash value which is updated by `dependabot.yml`. The purpose of pinning actions to a full length commit SHA is to ensure that the action's code and behavior remain consistent. Actions that are pinned to full length commit SHAs act as immutable releases which allow for distinction between versions and an accurate history log. When selecting a commit SHA to include, the SHA value that is associated with the version of the action should be chosen from the associated action's repository. Dependabot checks for the action's reference against the latest version ensuring a secure and consistent approach to managing dependencies and version updating.

To generate a pin for a third party action, there should be a full length commit SHA associated with the version of the action being referenced. The reference used is the full length SHA, tag, or branch that dependabot will use when updating dependencies and bumping versions.

- The syntax for a specified action is: `OWNER/REPOSITORY@TAG-OR-SHA`.
- The syntax for a specified reusable workflow is: `OWNER/REPOSITORY/PATH/FILENAME@TAG-OR-SHA`.

This approach is used for authoring CI workflows that utilize versioned actions to produce frequent updates from dependabot for python and GitHub Actions.

### License Text in Files

Please use the SPDX license identifier in all source files.
Expand Down Expand Up @@ -146,11 +160,11 @@ make test-e2e
#### Run with poetry
```
make develop
poetry run trestlebot-autosync
poetry run trestlebot-rules-transform
poetry run trestlebot-create-cd
poetry run trestlebot-sync-upstreams
poetry run trestlebot-create-ssp
poetry run trestlebot autosync
poetry run trestlebot rules-transform
poetry run trestlebot create compdef
poetry run trestlebot sync-upstreams
poetry run trestlebot create ssp
```

#### Local testing
Expand Down Expand Up @@ -178,15 +192,15 @@ INPUT_SKIP_ITEMS=
INPUT_DRY_RUN=true
INPUT_SKIP_ASSEMBLE=false
INPUT_SKIP_REGENERATE=false
INPUT_REPOSITORY=.
INPUT_REPO_PATH=.
INPUT_BRANCH=test
INPUT_MARKDOWN_PATH=markdown/profiles
INPUT_MARKDOWN_DIR=markdown/profiles
INPUT_OSCAL_MODEL=profile
INPUT_SSP_INDEX_PATH=
INPUT_SSP_INDEX_FILE=
INPUT_COMMIT_MESSAGE=
INPUT_COMMIT_USER_NAME=testuser
[email protected]
INPUT_FILE_PATTERN=*.md,*.json
INPUT_FILE_PATTERNS=*.md,*.json
INPUT_COMMIT_AUTHOR_NAME=
INPUT_COMMIT_AUTHOR_EMAIL=
INPUT_TARGET_BRANCH=
Expand Down Expand Up @@ -216,4 +230,4 @@ Once work on a release has been completed:
- Initial releases will have a `major` tag (if stable), `major`.`minor`, and the full version.
- The latest release will be rebuilt every thirty days to pull in base image updates. The same tags will
be published with the addition of `full-version`.`date` tag.
- Images can be built adhoc for testing purposes with the `workflow_dispatch` trigger.
- Images can be built adhoc for testing purposes with the `workflow_dispatch` trigger.
29 changes: 15 additions & 14 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,34 +6,35 @@
[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=rh-psce_trestle-bot&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=rh-psce_trestle-bot)


** **Note: Trestle-bot has moved from [RedHatProductSecurity](https://github.com/RedHatProductSecurity/) to the [Complytime](https://github.com/complytime/) GitHub organization.** **

trestle-bot assists users in leveraging [Compliance-Trestle](https://github.com/oscal-compass/compliance-trestle) in CI/CD workflows for [OSCAL](https://github.com/usnistgov/OSCAL) formatted compliance content management.
trestle-bot is a CLI tool that assists users in leveraging [Compliance-Trestle](https://github.com/oscal-compass/compliance-trestle) in CI/CD workflows for [OSCAL](https://github.com/usnistgov/OSCAL) formatted compliance content management.

> WARNING: This project is currently under initial development. APIs may be changed incompatibly from one commit to another.
## Getting Started

### Available Commands

The `autosync` command will sync trestle-generated Markdown files to OSCAL JSON files in a trestle workspace. All content under the provided markdown directory when the action is run will be transformed. This action supports all top-level models [supported by compliance-trestle for authoring](https://oscal-compass.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring/).
The `autosync` command will sync trestle-generated Markdown files to OSCAL JSON files in a trestle workspace. All content under the provided markdown directory will be transformed when the action is run. This action supports all top-level models [supported by compliance-trestle for authoring](https://oscal-compass.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring/).

The `rules-transform` command can be used when managing [OSCAL Component Definitions](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will transform rules defined in the rules YAML view to an OSCAL Component Definition JSON file.

The `create-cd` command can be used to create a new [OSCAL Component Definition](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will create a new Component Definition JSON file and corresponding directories that contain rules YAML files and trestle-generated Markdown files. This action prepares the workspace for use with the `rules-transform` and `autosync` actions.
The `create compdef` command can be used to create a new [OSCAL Component Definition](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will create a new Component Definition JSON file and corresponding directories that contain rules YAML files and trestle-generated Markdown files. This action prepares the workspace for use with the `rules-transform` and `autosync` actions.

The `sync-upstreams` command can be used to sync and validate upstream OSCAL content stored in a git repository to a local trestle workspace. Which content is synced is determined by the `include_model_names` and `exclude_model_names` inputs.
The `sync-upstreams` command can be used to sync and validate upstream OSCAL content stored in a git repository to a local trestle workspace. The inputs `include_models` and `exclude_models` determine which content is synced to the trestle workspace.

The `create-ssp` command can be used to create a new [OSCAL System Security Plans](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/system-security-plan/json-outline/) (SSP) in a trestle workspace. The action will create a new SSP JSON file and corresponding directories that contain trestle-generated Markdown files. This action prepares the workspace for use with the `autosync` action by creating or updating the `ssp-index.json` file. The `ssp-index.json` file is used to track the relationships between the SSP and the other OSCAL content in the workspace for the `autosync` action.
The `create ssp` command can be used to create a new [OSCAL System Security Plans](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/system-security-plan/json-outline/) (SSP) in a trestle workspace. The action will create a new SSP JSON file and corresponding directories that contain trestle-generated Markdown files. This action prepares the workspace for use with the `autosync` action by creating or updating the `ssp-index.json` file. The `ssp-index.json` file is used to track the relationships between the SSP and the other OSCAL content in the workspace for the `autosync` action.

Below is a table of the available commands and their current availability as a GitHub Action:

| Command | Available as a GitHub Action |
|--------------------|------------------------------|
| `autosync` | &#10003; |
| `rules-transform` | &#10003; |
| `create-cd` | &#10003; |
| `sync-upstreams` | &#10003; |
| `create-ssp` | |
| Command | Available as a GitHub Action |
|-------------------|------------------------------|
| `autosync` | &#10003; |
| `rules-transform` | &#10003; |
| `create compdef` | &#10003; |
| `sync-upstreams` | &#10003; |
| `create ssp` | |

For detailed documentation on how to use each action, see the README.md in each folder under [actions](./actions/).

Expand All @@ -47,7 +48,7 @@ provider information is supported for GitHub Actions (GitHub) and GitLab CI (Git

### Run as a Container

> Note: When running the commands in a container, all are prefixed with `trestlebot` (e.g. `trestlebot-autosync`). The default entrypoint for the container is the autosync command.
> Note: When running the commands in a container, all are prefixed with `trestlebot` (e.g. `trestlebot autosync`). The default entrypoint for the container is the autosync command.
Build and run the container locally:

Expand All @@ -72,4 +73,4 @@ This project is licensed under the Apache 2.0 License - see the [LICENSE.md](LIC

## Troubleshooting

See [TROUBLESHOOTING.md](./TROUBLESHOOTING.md) for troubleshooting tips.
See [TROUBLESHOOTING.md](./TROUBLESHOOTING.md) for troubleshooting tips.
24 changes: 15 additions & 9 deletions TEMPLATES/github/trestlebot-rules-transform.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,24 @@ concurrency:
cancel-in-progress: true

jobs:
check_rules:
runs-on: ubuntu-latest
outputs:
rules_changed: ${{ steps.changes.outputs.rules }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: changes
with:
filters: |
rules:
- 'rules/**'
rules-transform-and-autosync:
name: Rules Transform and AutoSync
runs-on: ubuntu-latest
permissions:
contents: write
needs: check_rules
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -31,16 +44,9 @@ jobs:
with:
markdown_path: "markdown/component-definitions"
oscal_model: "compdef"
file_pattern: "*.json,markdown/*"
- name: Check if rules changed
id: changes
uses: dorny/paths-filter@v3
with:
filters: |
rules:
- 'rules/**'
commit_message: "Autosync component definition content [skip ci]"
- name: Rules Transform
if: steps.changes.outputs.rules == 'true'
if: needs.check_rules.outputs.rules_changed == 'true'
uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
with:
markdown_path: "markdown/component-definitions"
Expand Down
18 changes: 9 additions & 9 deletions actions/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@ This document provides instructions and examples for creating and using GitHub A
## Directory Structure

- Actions related to trestle-bot are located in the `actions` directory.
- Actions should correlate an entrypoint under the `trestlebot/entrypoints` directory.
- Actions should correlate a command under the `trestlebot/cli/commands` directory.

## Adding a New Action

Contributors should scope trestle-bot actions to workspace management and checks. To add a new action:

> Prerequisite: An entrypoint was created under the `trestlebot/entrypoints` directory and added to the `pyproject.toml` under `[tool.poetry.scripts]`
> Prerequisite: An entrypoint was created under the `trestlebot/cli` directory and added to the `pyproject.toml` under `[tool.poetry.scripts]`
1. Create a new directory in the `actions` directory.
2. In the new directory, create an `action.yml` file that references the Dockerfile in the root of the repository.
Expand Down Expand Up @@ -48,7 +48,7 @@ jobs:
- uses: actions/checkout@v4
- uses: RedHatProductSecurity/trestle-bot/actions/create-cd@main
with:
markdown_path: "markdown/components"
markdown_dir: "markdown/components"
profile_name: "my-profile"
component_definition_name: "my-component-definition"
component_title: "my-component"
Expand Down Expand Up @@ -96,7 +96,7 @@ jobs:
id: autosync
uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
with:
markdown_path: "md_comp"
markdown_dir: "md_comp"
oscal_model: "compdef"
commit_message: "Autosync component definition content [skip ci]"
# Rule transformation is not idempotent, so you may only want to run this
Expand All @@ -115,7 +115,7 @@ jobs:
id: transform
uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
with:
markdown_path: "md_comp"
markdown_dir: "md_comp"
commit_message: "Auto-transform rules [skip ci]"
```

Expand Down Expand Up @@ -148,7 +148,7 @@ jobs:
id: autosync
uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
with:
markdown_path: "md_comp"
markdown_dir: "md_comp"
oscal_model: "compdef"
dry_run: true
- uses: dorny/paths-filter@v3
Expand All @@ -162,7 +162,7 @@ jobs:
id: transform
uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
with:
markdown_path: "md_comp"
markdown_dir: "md_comp"
dry_run: true
```

Expand Down Expand Up @@ -210,7 +210,7 @@ jobs:
if: steps.trestlebot.outputs.changes == 'true'
uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
with:
markdown_path: "markdown/components"
markdown_dir: "markdown/components"
oscal_model: "compdef"
branch: "sync-upstream-${{ github.run_id }}"
skip_assemble: true
Expand Down Expand Up @@ -244,7 +244,7 @@ jobs:
- name: Autosync
uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
with:
markdown_path: "md_comp"
markdown_dir: "md_comp"
oscal_model: "compdef"
commit_message: "Update content for release [skip ci]"
version: ${{ github.event.inputs.version }}
Expand Down
Loading

0 comments on commit 154f9f3

Please sign in to comment.