This repository represents an example of how you would automate governance in a production environment driven by a GitOps workflow.
Automated Governance is at its best when it is part of a continuous integration and continuous deployment (CI/CD) capability. In this model, there are no human hands (no manual hand-offs) from commit to production. Thus, security, compliance, and audit needs are met 100% for every commit. With Automated Governance, there are no workarounds or shortcuts that inadvertently lead to risk and vulnerabilities. source
- Baseline includes workflows for deploying k3d, installing zarf and deploying istio
- Review the repository on GitHub
- Create a demonstration branch
- Cover how this is representative of a example production environment
- Generate a component definition
- Link an
implemented-requirement
with the pre-existing validations (in the validation directory) - Uncomment the Lula workflows in the
.github/workflows
directory - Commit changes to the repository
- Open a PR and review workflow output
- Download the assessment-results artifact
- Store the results in the repository, commit, review with new threshold
- Uncomment the sample webapp from the zarf.yaml (non-complaint by default)
- Commit and Review the PR output (failing)
- Fix, commit, review the PR output (passing)
lula generate component -c https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json -r ac-3,ac-4 -o oscal-component.yaml
Add the following links to an implemented-requirement
in order for Lula to provide validation
links:
- href: file:./validations/validation.yaml
rel: lula
resource-fragment: '#07b19199-d4b6-42b7-8130-633c51517279'
- href: file:./validations/validation.yaml
rel: lula
resource-fragment: '#96cd25e3-fdfa-451e-8dbd-3fb2ff211d40'