# Compliance-trestle (also known as `trestle`)
](https://img.shields.io/badge/platform-osx%20%7C%20linux%20%7C%20windows-orange.svg)
](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)
](https://sonarcloud.io/api/project_badges/measure?project=compliance-trestle&metric=coverage)
](https://sonarcloud.io/api/project_badges/measure?project=compliance-trestle&metric=alert_status)
](https://img.shields.io/pypi/dm/compliance-trestle)
______________________________________________________________________
<table>
<tr>
<td><img src="images/Apollo_11_liftoff.png">
<td> We've moved. Please note our new organizational location.
</table>
______________________________________________________________________
Trestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's [OSCAL](https://pages.nist.gov/OSCAL/documentation/) as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.
Trestle is designed to operate as a CICD pipeline running on top of compliance artifacts in `git`, to provide transparency for the state of compliance across multiple stakeholders in an environment friendly to developers. Trestle passes the generated artifacts on to tools that orchestrate the enforcement, measurement, and reporting of compliance.
It also provides tooling to manage OSCAL documents in a more human-friendly manner. By splitting large OSCAL data structures into smaller and easier to edit sub-structures, creation and maintenance of these artifacts can follow normal `git` workflows including peer review via pull request, versioning, releases/tagging.
Trestle provides three separate but related functions in the compliance space:
- Manage OSCAL documents to allow editing and manipulation while making sure the schemas are enforced
- Transform documents from other formats to OSCAL
- Provide support and governance to author compliance content as markdown and drawio.
Trestle provides tooling to help orchestrate the compliance process across a number of dimensions:
- Help manage OSCAL documents in a more human-friendly manner by expanding the large OSCAL data structures into smaller and easier to edit sub-structures while making sure the schemas are enforced.
- Transform documents from other formats to OSCAL
- Provide governance for markdown documents and enforce consistency of format and content based on specified templates
- Tooling manage authoring and governance of markdown and drawio files withn a repository.
- Support within trestle to streamline management within a managed git environment.
- An underlying object model that supports developers interacting with OSCAL artefacts.
## Important Note:
The current version of trestle supports NIST OSCAL 1.0.0-4. There was a breaking change in OSCAL moving from
version 1.0.0 to 1.0.2 mainly due to `prop` becoming `props` in AssessmentResults. As a result, the current development path of trestle requires OSCAL 1.0.4, but for those who require OSCAL 1.0.0 please use trestle version 0.37.x. That version is stable but will not have any features added, and we encourage users to move to OSCAL 1.0.4.
OSCAL version 1.0.0 files are still handled on import but any AssessmentResults must conform to the OSCAL 1.0.4 schema, with
props instead of prop. And all files created by trestle will be output as OSCAL version 1.0.4.
## Why Trestle
Compliance suffers from being a complex topic that is hard to articulate simply. It involves complete and accurate execution of multiple procedures across many disciplines (e.g. IT, HR, management) with periodic verification and audit of those procedures against controls.
While it is possible to manage the description of controls and how an organisation implements them in ad hoc ways with general tools (spreadsheets, documents), this is hard to maintain for multiple accreditations and, in the IT domain at least, creates a barrier between the compliance efforts and the people doing daily work (DevOps staff).
Trestle aims to reduce or remove this barrier by bringing the maintenance of control descriptions into the DevOps domain. The goal is to have changes to the system (for example, updates to configuration management) easily related to the controls impacted, and to enable modification of those controls as required in concert with the system changes.
Trestle implicitly provides a core opinionated workflow driven by its pipeline to allow standardized interlocks with other compliance tooling platforms.
## Machine readable compliance format
Compliance activities at scale, whether size of estate or number of accreditations, require automation to be successful and repeatable. OSCAL as a standard allows teams to bridge between the "Governance" layer and operational tools.
By building human managed artifacts into OSCAL, Trestle is not only able to validate the integrity of the artifacts that people generate - it also enables reuse and sharing of artifacts, and furthermore can provide suitable input into tools that automate operational compliance.
## Supported OSCAL elements and extensions
`trestle` implicitly supports all OSCAL schemas for use within the object model. The development roadmap for `trestle` includes adding workflow around specific elements / objects that is opinionated.
## Supported file formats for OSCAL objects.
OSCAL supports `xml`, `json` and `yaml` with their [metaschema](https://github.com/usnistgov/metaschema) tooling. Trestle
natively supports only `json` and `yaml` formats at this time.
Future roadmap anticipates that support for xml [import](https://github.com/oscal-compass/compliance-trestle/issues/177) and [upstream references](https://github.com/oscal-compass/compliance-trestle/issues/178) will be enabled. However, it is expected
that full support will remain only for `json` and `yaml`.
Users needing to import XML OSCAL artifacts are recommended to look at NIST's XML to json conversion page [here](https://github.com/usnistgov/OSCAL/tree/master/json#oscal-xml-to-json-converters).
## Python codebase, easy installation via pip
Trestle runs on almost all Python platforms (e.g. Linux, Mac, Windows), is available on PyPi and can be easily installed via pip. It is under active development and new releases are made available regularly.\
To install run: `pip install compliance-trestle`\
See [Install trestle in a python virtual environment](https://oscal-compass.github.io/compliance-trestle/python_trestle_setup/) for the full installation guide.
## Complete documentation and tutorials
Complete documentation, tutorials, and background on compliance can be found [here](https://oscal-compass.github.io/compliance-trestle).
## Agile Authoring
A trestle-based agile authoring repository setup tool, documentation and tutorial can be found [here](https://github.com/oscal-compass/compliance-trestle-agile-authoring).
Agile authoring comprises the following beneficial features:
- based on OSCAL documents behind-the-scenes
- employs GIT for document control and access
- exposes text (markdown) and spread sheets (csv) to ease management of compliance artifacts
- implements compliance digitization for improved audit readiness and cost effectiveness
## Demos
A collection of demos utilizing trestle can be found in the related project [compliance-trestle-demos](https://github.com/oscal-compass/compliance-trestle-demos).
## Development status
Compliance trestle is currently stable and is based on NIST OSCAL version 1.0.4, with active development continuing.
## Community meetings and communications
##### Scheduled meetings
Please attend! All are invited.
**When**: Every other Tuesday at 10:00 ET [convert to your local time](https://dateful.com/convert/est-edt-eastern-time)
To discover the actual meeting dates:
- Go to [Google Calendar](https://calendar.google.com/calendar/u/0/embed?src=0b8u5el8ta4s93t2cm72tuvhhk@group.calendar.google.com&ctz=America/Los_Angeles)
- Look at entries in `Tue` day of week for *Compliance Trestle Community Call*
- To add to your calendar, `click` on `Compliance Trestle Community Call` and choose `copy to my calendar`
**Where**: [https://zoom.us/j/92729235315](https://zoom.us/j/92729235315)
- Meeting Id: 927 2923 5315
- Passcode: 233140
- **Note**: Use the passcode above to login to Zoom (or you can login to Zoom using another account like Google, Facebook)
**What**: Meeting agenda and notes [Google Docs](https://docs.google.com/document/d/1z9xvt-Z97j4CtEH1-nR9sMWul7jQkUi_fNY7BdMPgxM/edit#heading=h.nohkp1kbeduj)
##### Chat anytime
Slack: [# compliance-grc](https://cloud-native.slack.com/archives/C066TMUBEL8)
- **Note**: You can login to Slack using another account like Google, Apple
## Contributing to Trestle
Our project welcomes external contributions. Please consult [contributing](https://oscal-compass.github.io/compliance-trestle/contributing/mkdocs_contributing/) to get started.
## License & Authors
If you would like to see the detailed LICENSE click [here](LICENSE).
Consult [contributors](https://github.com/oscal-compass/compliance-trestle/graphs/contributors) for a list of authors and [maintainers](MAINTAINERS.md) for the core team.
```text
# Copyright (c) 2020 IBM Corp. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
```
Raw data
{
"_id": null,
"home_page": "https://oscal-compass.github.io/compliance-trestle",
"name": "compliance-trestle",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "IBM",
"author_email": "avikas@in.ibm.com",
"download_url": "https://files.pythonhosted.org/packages/99/20/0049b8f1d7e08e1393df3b062e04b33088b733123cccfae8b36d0e9a6f79/compliance-trestle-2.6.0.tar.gz",
"platform": null,
"description": "# Compliance-trestle (also known as `trestle`)\n\n](https://img.shields.io/badge/platform-osx%20%7C%20linux%20%7C%20windows-orange.svg)\n\n](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)\n](https://sonarcloud.io/api/project_badges/measure?project=compliance-trestle&metric=coverage)\n](https://sonarcloud.io/api/project_badges/measure?project=compliance-trestle&metric=alert_status)\n](https://img.shields.io/pypi/dm/compliance-trestle)\n\n\n______________________________________________________________________\n\n<table>\n<tr>\n<td><img src=\"images/Apollo_11_liftoff.png\">\n<td> We've moved. Please note our new organizational location.\n</table>\n\n______________________________________________________________________\n\nTrestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's [OSCAL](https://pages.nist.gov/OSCAL/documentation/) as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.\n\nTrestle is designed to operate as a CICD pipeline running on top of compliance artifacts in `git`, to provide transparency for the state of compliance across multiple stakeholders in an environment friendly to developers. Trestle passes the generated artifacts on to tools that orchestrate the enforcement, measurement, and reporting of compliance.\n\nIt also provides tooling to manage OSCAL documents in a more human-friendly manner. By splitting large OSCAL data structures into smaller and easier to edit sub-structures, creation and maintenance of these artifacts can follow normal `git` workflows including peer review via pull request, versioning, releases/tagging.\n\nTrestle provides three separate but related functions in the compliance space:\n\n- Manage OSCAL documents to allow editing and manipulation while making sure the schemas are enforced\n- Transform documents from other formats to OSCAL\n- Provide support and governance to author compliance content as markdown and drawio.\n\nTrestle provides tooling to help orchestrate the compliance process across a number of dimensions:\n\n- Help manage OSCAL documents in a more human-friendly manner by expanding the large OSCAL data structures into smaller and easier to edit sub-structures while making sure the schemas are enforced.\n- Transform documents from other formats to OSCAL\n- Provide governance for markdown documents and enforce consistency of format and content based on specified templates\n- Tooling manage authoring and governance of markdown and drawio files withn a repository.\n- Support within trestle to streamline management within a managed git environment.\n- An underlying object model that supports developers interacting with OSCAL artefacts.\n\n## Important Note:\n\nThe current version of trestle supports NIST OSCAL 1.0.0-4. There was a breaking change in OSCAL moving from\nversion 1.0.0 to 1.0.2 mainly due to `prop` becoming `props` in AssessmentResults. As a result, the current development path of trestle requires OSCAL 1.0.4, but for those who require OSCAL 1.0.0 please use trestle version 0.37.x. That version is stable but will not have any features added, and we encourage users to move to OSCAL 1.0.4.\n\nOSCAL version 1.0.0 files are still handled on import but any AssessmentResults must conform to the OSCAL 1.0.4 schema, with\nprops instead of prop. And all files created by trestle will be output as OSCAL version 1.0.4.\n\n## Why Trestle\n\nCompliance suffers from being a complex topic that is hard to articulate simply. It involves complete and accurate execution of multiple procedures across many disciplines (e.g. IT, HR, management) with periodic verification and audit of those procedures against controls.\n\nWhile it is possible to manage the description of controls and how an organisation implements them in ad hoc ways with general tools (spreadsheets, documents), this is hard to maintain for multiple accreditations and, in the IT domain at least, creates a barrier between the compliance efforts and the people doing daily work (DevOps staff).\n\nTrestle aims to reduce or remove this barrier by bringing the maintenance of control descriptions into the DevOps domain. The goal is to have changes to the system (for example, updates to configuration management) easily related to the controls impacted, and to enable modification of those controls as required in concert with the system changes.\n\nTrestle implicitly provides a core opinionated workflow driven by its pipeline to allow standardized interlocks with other compliance tooling platforms.\n\n## Machine readable compliance format\n\nCompliance activities at scale, whether size of estate or number of accreditations, require automation to be successful and repeatable. OSCAL as a standard allows teams to bridge between the \"Governance\" layer and operational tools.\n\nBy building human managed artifacts into OSCAL, Trestle is not only able to validate the integrity of the artifacts that people generate - it also enables reuse and sharing of artifacts, and furthermore can provide suitable input into tools that automate operational compliance.\n\n## Supported OSCAL elements and extensions\n\n`trestle` implicitly supports all OSCAL schemas for use within the object model. The development roadmap for `trestle` includes adding workflow around specific elements / objects that is opinionated.\n\n## Supported file formats for OSCAL objects.\n\nOSCAL supports `xml`, `json` and `yaml` with their [metaschema](https://github.com/usnistgov/metaschema) tooling. Trestle\nnatively supports only `json` and `yaml` formats at this time.\n\nFuture roadmap anticipates that support for xml [import](https://github.com/oscal-compass/compliance-trestle/issues/177) and [upstream references](https://github.com/oscal-compass/compliance-trestle/issues/178) will be enabled. However, it is expected\nthat full support will remain only for `json` and `yaml`.\n\nUsers needing to import XML OSCAL artifacts are recommended to look at NIST's XML to json conversion page [here](https://github.com/usnistgov/OSCAL/tree/master/json#oscal-xml-to-json-converters).\n\n## Python codebase, easy installation via pip\n\nTrestle runs on almost all Python platforms (e.g. Linux, Mac, Windows), is available on PyPi and can be easily installed via pip. It is under active development and new releases are made available regularly.\\\nTo install run: `pip install compliance-trestle`\\\nSee [Install trestle in a python virtual environment](https://oscal-compass.github.io/compliance-trestle/python_trestle_setup/) for the full installation guide.\n\n## Complete documentation and tutorials\n\nComplete documentation, tutorials, and background on compliance can be found [here](https://oscal-compass.github.io/compliance-trestle).\n\n## Agile Authoring\n\nA trestle-based agile authoring repository setup tool, documentation and tutorial can be found [here](https://github.com/oscal-compass/compliance-trestle-agile-authoring).\n\nAgile authoring comprises the following beneficial features:\n\n- based on OSCAL documents behind-the-scenes\n- employs GIT for document control and access\n- exposes text (markdown) and spread sheets (csv) to ease management of compliance artifacts\n- implements compliance digitization for improved audit readiness and cost effectiveness\n\n## Demos\n\nA collection of demos utilizing trestle can be found in the related project [compliance-trestle-demos](https://github.com/oscal-compass/compliance-trestle-demos).\n\n## Development status\n\nCompliance trestle is currently stable and is based on NIST OSCAL version 1.0.4, with active development continuing.\n\n## Community meetings and communications\n\n##### Scheduled meetings\n\nPlease attend! All are invited.\n\n**When**: Every other Tuesday at 10:00 ET [convert to your local time](https://dateful.com/convert/est-edt-eastern-time)\n\nTo discover the actual meeting dates:\n\n- Go to [Google Calendar](https://calendar.google.com/calendar/u/0/embed?src=0b8u5el8ta4s93t2cm72tuvhhk@group.calendar.google.com&ctz=America/Los_Angeles)\n- Look at entries in `Tue` day of week for *Compliance Trestle Community Call*\n- To add to your calendar, `click` on `Compliance Trestle Community Call` and choose `copy to my calendar`\n\n**Where**: [https://zoom.us/j/92729235315](https://zoom.us/j/92729235315)\n\n- Meeting Id: 927 2923 5315\n\n- Passcode: 233140\n\n- **Note**: Use the passcode above to login to Zoom (or you can login to Zoom using another account like Google, Facebook)\n\n**What**: Meeting agenda and notes [Google Docs](https://docs.google.com/document/d/1z9xvt-Z97j4CtEH1-nR9sMWul7jQkUi_fNY7BdMPgxM/edit#heading=h.nohkp1kbeduj)\n\n##### Chat anytime\n\nSlack: [# compliance-grc](https://cloud-native.slack.com/archives/C066TMUBEL8)\n\n- **Note**: You can login to Slack using another account like Google, Apple\n\n## Contributing to Trestle\n\nOur project welcomes external contributions. Please consult [contributing](https://oscal-compass.github.io/compliance-trestle/contributing/mkdocs_contributing/) to get started.\n\n## License & Authors\n\nIf you would like to see the detailed LICENSE click [here](LICENSE).\nConsult [contributors](https://github.com/oscal-compass/compliance-trestle/graphs/contributors) for a list of authors and [maintainers](MAINTAINERS.md) for the core team.\n\n```text\n# Copyright (c) 2020 IBM Corp. All rights reserved.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n```\n",
"bugtrack_url": null,
"license": "Apache Software License v2",
"summary": "Tools to manage & autogenerate python objects representing the OSCAL layers/models",
"version": "2.6.0",
"project_urls": {
"Homepage": "https://oscal-compass.github.io/compliance-trestle"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1ebd1349d86ead2288b41432ca3e588caceff7a1a069691e19ae2e726f3599f0",
"md5": "7734216f95e4e21b681040da789a4143",
"sha256": "8668c65191e23b41bc25daa119fc656e118e94bbb429a07bad4aafe1db660c6d"
},
"downloads": -1,
"filename": "compliance_trestle-2.6.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "7734216f95e4e21b681040da789a4143",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": null,
"size": 439654,
"upload_time": "2024-02-22T15:29:47",
"upload_time_iso_8601": "2024-02-22T15:29:47.781749Z",
"url": "https://files.pythonhosted.org/packages/1e/bd/1349d86ead2288b41432ca3e588caceff7a1a069691e19ae2e726f3599f0/compliance_trestle-2.6.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "99200049b8f1d7e08e1393df3b062e04b33088b733123cccfae8b36d0e9a6f79",
"md5": "53c8132c27189b47dcc4e1e3a19ac441",
"sha256": "91a715c7328ca79c8b7acb31174727d2c3d97b4e9e97ded0b26c2d0c24a6187f"
},
"downloads": -1,
"filename": "compliance-trestle-2.6.0.tar.gz",
"has_sig": false,
"md5_digest": "53c8132c27189b47dcc4e1e3a19ac441",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 5932250,
"upload_time": "2024-02-22T15:29:49",
"upload_time_iso_8601": "2024-02-22T15:29:49.979570Z",
"url": "https://files.pythonhosted.org/packages/99/20/0049b8f1d7e08e1393df3b062e04b33088b733123cccfae8b36d0e9a6f79/compliance-trestle-2.6.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-02-22 15:29:49",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "compliance-trestle"
}
JSON