This project has been forked from docker/oscalkit. Docker, Inc. did great service to the open source world by releasing initial oscalkit implementation under public domain license. Unfortunately, oscalkit development stalled after March 2019, while upstream OSCAL took leap steps and almost re-designed the OSCAL from scratch rendering original oscalkit unusable. This fork is attempt to keep original code lively and re-build community around it.

Barebones Go SDK for the Open Security Controls Assessment Language (OSCAL) which is in development by the National Institute of Standards and Technology (NIST). A CLI tool is also included for processing OSCAL documents, converting between OSCAL-formatted XML, JSON and YAML. For conversion of Your existing SSPs in form of OpenControl or traditional DOCX files projects in to OSCAL visit sister project GoComply/fedramp.

Documentation for the OSCAL standard can be found at https://pages.nist.gov/OSCAL.

You can download the appropriate gocomply_oscalkit command-line utility for your system from the GitHub Releases page. You can move it to an appropriate directory listed in your $PATH environment variable. Alternatively, You can fetch latest greatest version by running

  go get -u github.com/gocomply/oscalkit/cli/gocomply_oscalkit

NAME:
   gocomply_oscalkit - OSCAL toolkit

USAGE:
   gocomply_oscalkit [global options] command [command options] [arguments...]

VERSION:
   0.2.0


COMMANDS:
     convert         convert between one or more OSCAL file formats and to HTML format
     validate        validate files against OSCAL XML and JSON schemas
     sign            sign OSCAL JSON artifacts
     generate        generates go code against provided profile
     implementation  generates go code for implementation against provided profile and excel sheet
     help, h         Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug, -d    enable debug command output
   --help, -h     show help
   --version, -v  print the version

gocomply_oscalkit can be used to convert one or more source files between OSCAL-formatted XML and JSON.

NAME:
   gocomply_oscalkit convert oscal - convert between one or more OSCAL file formats

USAGE:
   gocomply_oscalkit convert oscal [command options] [source-files...]

DESCRIPTION:
   Convert between OSCAL-formatted XML and JSON files. The command accepts
   one or more source file paths and can also be used with source file contents
   piped/redirected from STDIN.

OPTIONS:
   --output-path value, -o value  Output path for converted file(s). Defaults to current working directory
   --output-file value, -f value  File name for converted output from STDIN. Defaults to "stdin.<json|xml|yaml>"
   --yaml                         If source file format is XML or JSON, also generate equivalent YAML output

Convert OSCAL-formatted NIST 800-53 declarations from XML to JSON:

$ gocomply_oscalkit convert oscal SP800-53-declarations.xml

Convert OSCAL-formatted NIST 800-53 declarations from XML to JSON via STDIN (note the use of "-"):

$ cat SP800-53-declarations.xml | gocomply_oscalkit convert oscal -

gocomply_oscalkit can be used to sign OSCAL-formatted JSON artifacts using JSON Web Signature (JWS)

NAME:
   gocomply_oscalkit sign - sign OSCAL JSON artifacts

USAGE:
   gocomply_oscalkit sign [command options] [files...]

OPTIONS:
   --key value, -k value  private key file for signing. Must be in PEM or DER formats. Supports RSA/EC keys and X.509 certificats with embedded RSA/EC keys
   --alg value, -a value  algorithm for signing. Supports RSASSA-PKCS#1v1.5, RSASSA-PSS, HMAC, ECDSA and Ed25519

The following signing algorithms are supported:

Sign OSCAL-formatted JSON using a PEM-encoded private key file and the PS256 signing algorithm:

$ gocomply_oscalkit sign --key jws-example-key.pem --alg PS256 NIST_SP-800-53_rev4_catalog.json

The tool supports validation of OSCAL-formatted XML and JSON files against the corresponding OSCAL XML schemas (.xsd) and JSON schemas. Schemas are packaged with the tool and found automatically based on the type of OSCAL file. XML schema validation requires the xmllint tool on the local machine (included with macOS and Linux. Windows installation instructions here)

NAME:
   gocomply_oscalkit validate - validate files against OSCAL XML and JSON schemas

USAGE:
   gocomply_oscalkit validate [command options] [files...]

DESCRIPTION:
   Validate OSCAL-formatted XML files against a specific XML schema (.xsd)
   or OSCAL-formatted JSON files against a specific JSON schema

Validate FedRAMP profile in OSCAL-formatted JSON against the corresponding JSON schema

$ gocomply_oscalkit validate -s oscal-core.json fedramp-annotated-wrt-SP800-53catalog.json

oscalkit is developed with Go (1.13+). If you have Docker installed, the included Makefile can be used to run unit tests and compile the application for Linux, macOS and Windows. Otherwise, the native Go toolchain can be used.

Dependencies are managed with Go 1.11 Modules. The vendor/ folder containing the dependencies is checked in with the source for backwards compatibility with previous versions of Go. When using Go 1.11+ with GO111MODULE=on, you can verify the dependencies as follows:

$ go mod verify

You can use the included Makefile to generate binaries for your OS as follows (requires Docker):

Compile for Linux:

$ GOOS=linux GOARCH=amd64 make

Compile for macOS:

$ GOOS=darwin GOARCH=amd64 make

Compile for Windows:

$ GOOS=windows GOARCH=amd64 make

Both the website and corresponding documentation are being developed in docs/. The content is developed using the Hugo framework. The static content is generated and published in docs/public, which is a separate Git worktree.

The GoDoc for the SDK can be found here.

The GoReleaser tool is used to publish oscalkit to GitHub Releases. The following release artifacts are currently supported:

• OSX binary
• Linux binary
• Windows binary
• Docker Image
• Homebrew recipe