Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lula Integration in CI #458

Closed
4 tasks
CloudBeard opened this issue Jun 5, 2024 · 1 comment · Fixed by #496
Closed
4 tasks

Lula Integration in CI #458

CloudBeard opened this issue Jun 5, 2024 · 1 comment · Fixed by #496
Assignees
@CloudBeard
Labels
ci Issues pertaining to CI / Pipelines / Testing enhancement New feature or request

Comments

@CloudBeard
Copy link
Contributor

Is your feature request related to a problem? Please describe.

Integrate Lula into the CI process to verify UDS Core configuration against compliance controls. This integration will determine if the controls are satisfied and provide evidence to demonstrate compliance to assessors in an automated and continuous manner.

This approach enables early detection of changes that may impact compliance, offering a mechanism to prevent non-compliant changes if desired. It ensures compliance in a quantitative way, providing assurance and clarity.

Describe the solution you'd like

  • Integrate Lula Lint Task from uds-common to lula lint new/modified OSCAL files in CI.

  • Integrate Lula Validate Task from uds-common to run lula validate against OSCAL and supporting files to determine pass fail for compliance controls.

  • Integrate Lula Evaluate Task from uds-common to run lula evaluate after upgrade to compare previous assessment-results (OSCAL) to current to determine changes.

  • Update location of current OSCAL files.

Describe alternatives you've considered

Considered GitHub Actions to perform the same functionality but following the Task pattern provides a better mechanism for usage outside of GitHub.

Additional context

Is dependent on creation of tasks issues being completed first.
@CloudBeard CloudBeard added the enhancement New feature or request label Jun 5, 2024
@brandtkeller
Copy link
Member

brandtkeller commented Jun 7, 2024
edited
Loading

One proposed structure for the repository:

.
|-- README.md
|-- oscal.yaml <-- this file imports all children + UDS specific controls + stores assessments for use in pipeline threshold
|-- src
|   |-- istio
|   |   |-- component.yaml <-- these are composed and 
|   |-- loki
|   |   |-- component.yaml
|   |-- pepr
|   |   |-- component.yaml
|   |-- neuvector
|   |   |-- component.yaml

Idea here is this structure supports a single location for Lula to execute validations from and establishes greater compliance awareness. Even OSCAL without any Lula validations is still valuable to reporting. Having numbers for controls present vs those satisfied is a point of iteration.

Future exploration could mean looking at how to make this data transient. Including the compliance information as files in each package or composing during bundle for inclusion, transport and discovery in target environments.

@brandtkeller brandtkeller mentioned this issue Jun 19, 2024
Merged
5 tasks
@mjnagel mjnagel added the ci Issues pertaining to CI / Pipelines / Testing label Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CloudBeard CloudBeard

Labels
ci Issues pertaining to CI / Pipelines / Testing enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(oscal): begin integration of composed oscal with validations defenseunicorns/uds-core
3 participants
@mjnagel @brandtkeller @CloudBeard