The OSCAL Compass project is set of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL (Open Security Controls Assessment Language) as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL SDK and adoption by policy engines.
The OSCAL Compass project is hosted by the Cloud Native Computing Foundation (CNCF)
Check out the Community README to get started with using and contributing to the project. The README also details all the ways to collaborate with project maintainers and your fellow users of OSCAL Compass tools. Anyone is welcome to participate and contribute provided they follow the OSCAL Compass Code of Conduct.
Trestle - Command line tool and SDK for interacting with OSCAL-based compliance-as-code documents
Agile Authoring - Ready to use CI/CD pipeline configuration and setup using a GitOps approach and Trestle SDK for human and machine readable OSCAL compliance documents collaborative authoring. Manage semantic versioning, provenance traceability, change log, and approval based release to foster continuous compliance.
Compliance to Policy (AKA C2P) - C2P is a plugin based tool to deploy compliance-as-code represented in OSCAL into policy validation or enforcement engines and collect and normalize their native results into OSCAL audit required format. Supported Policy Engines include Kyverno (for Kubernetes resources), Open Cluster Management Policy Framework (for Kubernetes resources), Auditree (generic).
https://oscal-compass.github.io
Note: This has Trestle specific information
Personas and Roles
Trestle SDK
Artifacts and Personas
Topologies of Compliance Policy Administration Centers
A Lack of Network Boundaries Invites a Lack of Compliance
Compliance to Policy for Multiple Kubernetes Clusters
