OSCAL validation action #199
Conversation
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
There was a problem hiding this comment.
Not to be labor an obvious point, but oscal-club (actually yours truly as fun else contributed) has a packaged action that wraps the oscal-cli tooling, be it the classic NIST version and an updated fork from former NIST staff in the metaschema-framework community-fork that does some more bells and whistles than just JSON Schema validation, including SARIF output so you can overly the results on the files themselves in GitHub user interface.
I just thought I would put that out there if you want to consider it. If not, I completely understand, but it might help test multiple toolchains for conformance.
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
|
Ah nice, I added it to also verify with it (see this workflow run here) and it actually caught more details. It is not failing the workflow when validation fails but apparently, this is on purpose. I will leave it like non-failing like this while I fix the output to also validate with the oscal cli. Thanks for the suggestion. |
There was a problem hiding this comment.
The checkout action doesn't drop credentials by default, which can result in a leak.
Otherwise, this looks good to me and to zizmor.
Co-authored-by: Ben Cotton <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Ben Cotton <[email protected]> Signed-off-by: CRob <[email protected]>
Signed-off-by: Ben Cotton <[email protected]>
This PR adds a github action to verify the OSCAL output of the baseline compiler whenever a PR is opened.
This PR introduces a new file but requires #194 to run, here is an example run:
https://github.com/puerco/security-baseline/actions/runs/13448472115/job/37578580471
Signed-off-by: Adolfo García Veytia (Puerco) [email protected]