This repository contains the source code for the ghcr.io/gsa-tts/trestle Docker image and OSCAL models to be used by that image.
Prerequisite: $(pwd)/compliance directory exists and is where you want to store all compliance artifacts
docker pull ghcr.io/gsa-tts/trestle
docker run -it --rm -v $(pwd)/compliance:/app/docs ghcr.io/gsa-tts/trestle bashAll other usage commands assume you are operating within the docker container.
If you are using a profile that isn't shipped with the image you must import it first
If you are utilizing Component Definitions, you must import and/or create them first.
generate-ssp-markdown -p PROFILE_NAME [-c COMP_DEF_NAMES]
assemble-ssp-json -n SYSTEM_NAME [-c COMP_DEF_NAMES]
This step will create system-security-plans/SYSTEM_NAME/system-security-plan.json as well as smaller JSON files within system-security-plans/SYSTEM_NAME/system-security-plan/ for editing.
This script should be given the same list of Component Definitions that were passed to generate-ssp-markdown
The control-status script will output a quick report of all of the Implementation Status lines for your controls. For instance, to report on the status of all controls except those marked as implemented:
control-status -i implemented
trestle assemble -n SYSTEM_NAME system-security-plan
Edit the files within ssp-markdown to populate data for the rendered SSP that can't yet be pulled from OSCAL.
Hint: Use jinja templates md_clean_include and mdsection_include to populate content from other existing documents your team is using.
Output the SSP as a markdown file within ./ssp-render
render-ssp
You can optionally use pandoc to transform the markdown file into a variety of formats. For example:
docker run --rm --volume "/dir/with/rendered_ssp.md:/data" pandoc/latex rendered_ssp.md -o your-pdf-file-name.pdf
docker run --rm --volume "/dir/with/rendered_ssp.md:/data" pandoc/latex rendered_ssp.md -s -o your-html-file-name.html --metadata title="SSP Title"
If you are using a PROFILE_NAME that does not ship with this docker container then you must first manually import it using:
trestle import -f PROFILE_URL -o PROFILE_NAME
Once that is done you can go back to the generate-ssp-markdown step
To import a component that ships with this docker container: copy-component -n COMPONENT_NAME
To import a component that is available from a URL: copy-component -n COMPONENT_NAME -u COMPONENT_URL
create-component -n COMPONENT_NAME
And then edit the created files to contain the component definition.
This step is automatically handled by the assemble-ssp-json script as long as that script is run from the trestle root.
split-ssp -n SYSTEM_NAME
The following templates are included in the Docker image:
A profile representing the set of controls covered by a GSA LATO SSPP.
A Component Definition representing the Cloud.gov CRM.
A set of testable best practices for running applications on cloud.gov. This component integrates with Auditree and c2p to generate compliance results
A copy of the full NIST 800-53 revision 5 catalog.
A resolved catalog of just the NIST 800-53r5 controls that are used by the LATO profile.
Run the trestle image locally through Docker Compose:
docker compose run cli bash
Utilize compliance-trestle commands within the /app/templates directory to make any changes that are required.
The /app/docs directory can be used as a scratch area for any temporary trestle tests.
Each published image will be tagged with:
latestYYYYMMDDmainsha-c9f60e2