Skip to content

Latest commit

 

History

History
138 lines (106 loc) · 7.12 KB

README.md

File metadata and controls

138 lines (106 loc) · 7.12 KB

compliance-to-policy-go

Logo Compliance-to-Policy (also known as C2P)

Compliance-to-Policy (C2P) is designed to bridge Compliance as Code such as Open Security Controls Assessment Language (OSCAL) and Policy as Code used by Policy Validation Point (PVP). It generates policies in native format of PVP from OSCAL Component Definitions and produces OSCAL Assessment Results from the native assessment results of PVP. C2P can be used both as a command-line tool and a Python library, making it easy and flexible to integrate into your Continuous Compliance pipelines, such as GitHub Actions, Tekton Pipelines, or Agile Authoring Pipelines. It supports multiple PVP engines, including Kyverno and Open Cluster Management Policy Framework.

C2P Overview

  1. Compliance-to-Policy (C2P) is running in GitOps Pipeline, Kubernetes controller, or Python/Go environment
  2. C2P receives Compliance as Code, for example OSCAL Component Definition that represents mapping between controls and policies (policy names/ids)
  3. C2P generates policies through plugin for each policy engine
    • The plugin is responsible for implementing a function that takes policy names/ids and returns policies
  4. Policies are delivered to policy engines by GitOps sync, the subsequence pipeline task, Kubernetes controller, or a deployment automation program
  5. Results are collected from policy engines by a scheduled task or Kubernetes controller
  6. C2P aggregates the results of policy engines by controls through plugin for each policy engine
    • The plugin is responsible for implementing a function that takes the results of the policy engine and returns verdicts (pass/fail/error), reason, and/or resource name for each respective policy by its names/IDs.
  7. C2P produces Compliance Assessment Results, for example OSCAL Assessment Results that represents the assessment results of each control

Versions

C2P Go follows Semantic Versioning. All backward-incompatible changes are reserved for the next major release (2).

v1: stable

All v1.* releases are based upon the v1 branch.

v2: experimental

The main branch is where all v2 module development occurs.

Note that this version is under initial development and the API may change incompatibly from one commit to another on the main branch until the v2 module is released as stable. If importing, you should use the main branch (or a specific commit hash) for this module in your project's go.mod.

If you are seeking stability over new features, you are highly encouraged to use releases with major version 1.

Goals

Provide seamless integration with compliance frameworks and existing policy engines, and enable to use heterogeneous policy engines in compliance check operation

  • Flexibility in choice of policy engines and compliance frameworks
    • Provide plugins to cover various policy engines including proprietary/open source policy validation/enforcement engines, or in-house policy validation/enforcement program
    • Cover various compliance frameworks not only OSCAL but also other GRC frameworks and Cloud Security Posture Management services
  • Community-driven plugin extension
    • Provide an efficient plugin interface and development method

Supported Compliance Frameworks

  • Open Security Controls Assessment Language (OSCAL)
    • OSCAL standard provides a compliance framework and the corresponding set of key compliance artifacts expressed in machine processable formats enabling all compliance documents to be treated as code and therefore processed and managed in the same manner.

Supported Policy Engines

  • Kyverno (for Kubernetes resources)
    • Kyverno is a policy engine designed for Kubernetes, where policies are managed as Kubernetes resources. Kyverno policies can validate, mutate, generate, and clean up Kubernetes resources.
  • Open Cluster Management Policy Framework (for Kubernetes resources)
    • OCM is a multi-cluster management platform that provides governance of Kubernetes policies. Its policy framework allows for the validation and enforcement of policies across multiple clusters.

Prerequisite

Usage of C2P CLI

$ c2pcli -h        
C2P CLI

Usage:
  c2pcli [flags]
  c2pcli [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  kyverno     C2P CLI Kyverno plugin
  ocm         C2P CLI OCM plugin
  version     Display version

Flags:
  -h, --help   help for c2pcli

Use "c2pcli [command] --help" for more information about a command.

C2P is targeting a plugin architecture to cover not only OCM Policy Framework but also other types of PVPs. Please go to the docs for each usage.

Build at local

make build
./bin/c2pcli_<version>_<os>_<arch> -h

Test

make test

Release

  1. Create a git tag of the following format go/<version> (e.g. go/v0.1.2)
  2. Run release command
    echo $PAT | gh auth login --with-token -h github.com
    make release 
    

License & Authors

If you would like to see the detailed LICENSE click here. Consult contributors for a list of authors and maintainers for the core team.

# Copyright (c) 2024 The OSCAL Compass Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


We are a Cloud Native Computing Foundation sandbox project.

The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see Trademark Usage".

Compliance to Policy was originally created by IBM.