Skip to main content

Tools to manage & autogenerate python objects representing the OSCAL layers/models

Project description

Logo Compliance-trestle (also known as trestle)

OS Compatibility PyPI - Python Version Pre-commit Code Coverage Quality gate Pypi GitHub Actions status

Trestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.

Trestle is designed to operate as a CICD pipeline running on top of compliance artifacts in git, to provide transparency for the state of compliance across multiple stakeholders in an environment friendly to developers. Trestle passes the generated artifacts onto tools that orchestrate the enforcement, measurement, and reporting of compliance.

It also provides tooling to manage OSCAL documents in a more human-friendly manner. By splitting large OSCAL data structures into smaller and easier to edit sub-structures, creation and maintenance of these artifacts can follow normal git workflows including peer review via pull request, versioning, releases/tagging.

Trestle provides three separate but related functions in the compliance space:

  • Manage OSCAL documents to allow editing and manipulation while making sure the schemas are enforced
  • Transform documents from other formats to OSCAL
  • Provide support and governance to author compliance content as markdown and drawio.

Trestle provides tooling to help orchestrate the compliance process across a number of dimensions:

  • Help manage OSCAL documents in a more human-friendly manner by expanding the large OSCAL data structures into smaller and easier to edit sub-structures while making sure the schemas are enforced.
  • Transform documents from other formats to OSCAL
  • Provide governance for markdown documents and enforce consistency of format and content based on specified templates
  • Tooling manage authoring and governance of markdown and drawio files within a repository.
  • Support within trestle to streamline management within a managed git environment.
  • An underlying object model that supports developers interacting with OSCAL artifacts.

Why Trestle

Compliance suffers from being a complex topic that is hard to articulate simply. It involves complete and accurate execution of multiple procedures across many disciplines (e.g. IT, HR, management) with periodic verification and audit of those procedures against controls.

While it is possible to manage the description of controls and how an organisation implements them in ad hoc ways with general tools (spreadsheets, documents), this is hard to maintain for multiple accreditations and, in the IT domain at least, creates a barrier between the compliance efforts and the people doing daily work (DevOps staff).

Trestle aims to reduce or remove this barrier by bringing the maintenance of control descriptions into the DevOps domain. The goal is to have changes to the system (for example, updates to configuration management) easily related to the controls impacted, and to enable modification of those controls as required in concert with the system changes.

Trestle implicitly provides a core opinionated workflow driven by its pipeline to allow standardized interlocks with other compliance tooling platforms.

Machine readable compliance format

Compliance activities at scale, whether size of estate or number of accreditations, require automation to be successful and repeatable. OSCAL as a standard allows teams to bridge between the "Governance" layer and operational tools.

By building human managed artifacts into OSCAL, Trestle is not only able to validate the integrity of the artifacts that people generate - it also enables reuse and sharing of artifacts, and furthermore can provide suitable input into tools that automate operational compliance.

Supported OSCAL elements and extensions

trestle implicitly supports all OSCAL schemas for use within the object model. The development roadmap for trestle includes adding workflow around specific elements / objects that is opinionated.

Supported file formats for OSCAL objects.

OSCAL supports xml, json and yaml with their metaschema tooling. Trestle natively supports only json and yaml formats at this time.

Future roadmap anticipates that support for xml import and upstream references will be enabled. However, it is expected that full support will remain only for json and yaml.

Users needing to import XML OSCAL artifacts are recommended to look at NIST's XML to json conversion page here.

Python codebase, easy installation via pip

Trestle runs on almost all Python platforms (e.g. Linux, Mac, Windows), is available on PyPi and can be easily installed via pip. It is under active development and new releases are made available regularly.
To install run: pip install compliance-trestle
See Install trestle in a python virtual environment for the full installation guide.

Complete documentation and tutorials

Complete documentation, tutorials, and background on compliance can be found here.

Agile Authoring

A trestle-based agile authoring repository setup tool, documentation and tutorial can be found here.

Agile authoring comprises the following beneficial features:

  • based on OSCAL documents behind-the-scenes
  • employs GIT for document control and access
  • exposes text (markdown) and spread sheets (csv) to ease management of compliance artifacts
  • implements compliance digitization for improved audit readiness and cost effectiveness

Demos

A collection of demos utilizing trestle can be found in the related project compliance-trestle-demos.

Development status

v3: stable (actively developed)

  • supports NIST OSCAL 1.1.2 as well as previous versions

v2: stable (maintenance mode)

  • supports NIST OSCAL 1.0.4 as well as previous versions

Community meetings and communications

Please refer to the community README for communication details.

Contributing to Trestle

Our project welcomes external contributions. Please consult contributing to get started.

Code of Conduct

Participation in the OSCAL Compass community is governed by the Code of Conduct.

License & Authors

If you would like to see the detailed LICENSE click here. Consult contributors for a list of authors and maintainers for the core team.

# Copyright (c) 2024 The OSCAL Compass Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

We are a Cloud Native Computing Foundation sandbox project.

The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see Trademark Usage".

Trestle was originally created by IBM.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

compliance_trestle-3.5.0.tar.gz (6.4 MB view details)

Uploaded Source

Built Distribution

compliance_trestle-3.5.0-py2.py3-none-any.whl (442.2 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file compliance_trestle-3.5.0.tar.gz.

File metadata

  • Download URL: compliance_trestle-3.5.0.tar.gz
  • Upload date:
  • Size: 6.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for compliance_trestle-3.5.0.tar.gz
Algorithm Hash digest
SHA256 29e342eb59e527ebea40da36a2632a8782fbe82e76fda12af72c5ef655856951
MD5 534a6c501ef6e844ecc64ddd07ec6cc6
BLAKE2b-256 511826079bfaf72ab9bd24030782affacd361f325119ba865ac02cb6c3a831d1

See more details on using hashes here.

File details

Details for the file compliance_trestle-3.5.0-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for compliance_trestle-3.5.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 e7995683459b8a4ae77377e0934adc88190b1c612cddc000128b7ef19d71a066
MD5 47ad7ba003b225f223e36e803762365e
BLAKE2b-256 668e2bb2b906dcf8a179a5175d4ed0cc5b0b9ddd0b1e404ddfd0aa1ef8b6af54

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page