Compliance-to-Policy (C2P) is designed to bridge Compliance as Code such as Open Security Controls Assessment Language (OSCAL) and Policy as Code used by Policy Validation Point (PVP). It generates policies in native format of PVP from OSCAL Component Definitions and produces OSCAL Assessment Results from the native assessment results of PVP. C2P can be used both as a command-line tool and a Python library, making it easy and flexible to integrate into your Continuous Compliance pipelines, such as GitHub Actions, Tekton Pipelines, or Agile Authoring Pipelines. It supports multiple PVP engines, including Kyverno and Open Cluster Management Policy Framework.
- Compliance-to-Policy (C2P) is running in GitOps Pipeline, Kubernetes controller, or Python/Go environment
- C2P receives Compliance as Code, for example OSCAL Component Definition that represents mapping between controls and policies (policy names/ids)
- C2P generates policies through plugin for each policy engine
- The plugin is responsible for implementing a function that takes policy names/ids and returns policies
- Policies are delivered to policy engines by GitOps sync, the subsequence pipeline task, Kubernetes controller, or a deployment automation program
- Results are collected from policy engines by a scheduled task or Kubernetes controller
- C2P aggregates the results of policy engines by controls through plugin for each policy engine
- The plugin is responsible for implementing a function that takes the results of the policy engine and returns verdicts (pass/fail/error), reason, and/or resource name for each respective policy by its names/IDs.
- C2P produces Compliance Assessment Results, for example OSCAL Assessment Results that represents the assessment results of each control
C2P Go follows Semantic Versioning. All backward-incompatible changes are reserved for the next major release (2).
All v1.* releases are based upon the v1
branch.
The main
branch is where all v2
module development occurs.
Note that this version is under initial development and the API may change incompatibly from one commit to another on the main
branch until the v2
module is released as stable. If importing, you should use the main branch (or a specific commit hash) for this module in your project's go.mod
.
If you are seeking stability over new features, you are highly encouraged to use releases with major version 1.
Provide seamless integration with compliance frameworks and existing policy engines, and enable to use heterogeneous policy engines in compliance check operation
- Flexibility in choice of policy engines and compliance frameworks
- Provide plugins to cover various policy engines including proprietary/open source policy validation/enforcement engines, or in-house policy validation/enforcement program
- Cover various compliance frameworks not only OSCAL but also other GRC frameworks and Cloud Security Posture Management services
- Community-driven plugin extension
- Provide an efficient plugin interface and development method
- Open Security Controls Assessment Language (OSCAL)
- OSCAL standard provides a compliance framework and the corresponding set of key compliance artifacts expressed in machine processable formats enabling all compliance documents to be treated as code and therefore processed and managed in the same manner.
- Kyverno (for Kubernetes resources)
- Kyverno is a policy engine designed for Kubernetes, where policies are managed as Kubernetes resources. Kyverno policies can validate, mutate, generate, and clean up Kubernetes resources.
- Open Cluster Management Policy Framework (for Kubernetes resources)
- OCM is a multi-cluster management platform that provides governance of Kubernetes policies. Its policy framework allows for the validation and enforcement of policies across multiple clusters.
- Install Kustomize
- Install policy-generator plugin
$ c2pcli -h
C2P CLI
Usage:
c2pcli [flags]
c2pcli [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
kyverno C2P CLI Kyverno plugin
ocm C2P CLI OCM plugin
version Display version
Flags:
-h, --help help for c2pcli
Use "c2pcli [command] --help" for more information about a command.
C2P is targeting a plugin architecture to cover not only OCM Policy Framework but also other types of PVPs. Please go to the docs for each usage.
make build
./bin/c2pcli_<version>_<os>_<arch> -h
make test
- Create a git tag of the following format
go/<version>
(e.g.go/v0.1.2
) - Run release command
echo $PAT | gh auth login --with-token -h github.com make release
If you would like to see the detailed LICENSE click here. Consult contributors for a list of authors and maintainers for the core team.
# Copyright (c) 2024 The OSCAL Compass Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
We are a Cloud Native Computing Foundation sandbox project.
The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see Trademark Usage".
Compliance to Policy was originally created by IBM.