{"id":28729480,"url":"https://github.com/complianceascode/oscal-content","last_synced_at":"2026-01-20T16:49:14.212Z","repository":{"id":279691804,"uuid":"932730341","full_name":"ComplianceAsCode/oscal-content","owner":"ComplianceAsCode","description":"An OSCAL content repository with test data for ComplyTime.","archived":false,"fork":false,"pushed_at":"2025-06-09T02:53:01.000Z","size":44513,"stargazers_count":0,"open_issues_count":4,"forks_count":4,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-06-09T03:29:32.311Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ComplianceAsCode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-14T12:16:18.000Z","updated_at":"2025-06-09T02:53:24.000Z","dependencies_parsed_at":"2025-04-27T02:24:42.736Z","dependency_job_id":"060fb8dd-2121-48b8-a031-c8c93de0795d","html_url":"https://github.com/ComplianceAsCode/oscal-content","commit_stats":null,"previous_names":["complytime/oscal-content","complianceascode/oscal-content"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ComplianceAsCode/oscal-content","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Foscal-content","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Foscal-content/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Foscal-content/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Foscal-content/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ComplianceAsCode","download_url":"https://codeload.github.com/ComplianceAsCode/oscal-content/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Foscal-content/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260010319,"owners_count":22945639,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-15T16:39:06.214Z","updated_at":"2026-01-20T16:49:14.200Z","avatar_url":"https://github.com/ComplianceAsCode.png","language":null,"readme":"# oscal-content\n\nThis repository serves as a centralized location for managing and storing security compliance content in the [Open Security Controls Assessment Language](https://pages.nist.gov/OSCAL/) (OSCAL) format. The primary purpose of this repository is to manage OSCAL content, with a current focus on Red Hat (RH) products.\n\n## Overview\nThe repository was initialized by the [complyscribe](https://github.com/complytime/complyscribe). It provides three GitHub Actions, [sync-comp](.github/workflows/sync-comp.yml), [sync-controls](.github/workflows/sync-controls.yml) and [sync-oscal-cac](.github/workflows/sync-oscal-cac.yml). The first two could consume the data of upstream [ComplianceAsCode/content](https://github.com/ComplianceAsCode/content) to generate related OSCAL content. The sync-oscal-cac could sync the OSCAL content updates to [ComplianceAsCode/content](https://github.com/ComplianceAsCode/content). It is paired with the CI [sync-cac-oscal](https://github.com/ComplianceAsCode/content/blob/master/.github/workflows/sync-cac-oscal.yml) which could sync the CAC content updates to OSCAL content. The `sync-oscal-cac` and `sync-cac-oscal` are designed for a bi-directional synchronization workflow that allows both projects to consume updates from each other.\n\n## How do the CIs sync content between CAC and OSCAL work\n\u003e WARNING: The CI systems are currently in development. The user experience will be refined as we gather feedback from ongoing use.\n### Content Transformation: CAC to OSCAL\nThe `sync-cac-oscal` workflow handles the transformation from ComplianceAsCode/content into the OSCAL format. This process is powered by the `complyscribe` command-line tool.\n\nThe workflow operates in several stages:\n\n- **Detect Changes:** The workflow first identifies relevant updates in the source content directories (controls, profiles, rules, and vars).\n\n- **Prepare for Transformation:** It gathers the necessary arguments required by the Complyscribe CLI.\n\n- **Transform Content:** It then runs `complyscribe` to convert the source files into their corresponding OSCAL formats.\n\n- **Propose Updates:** Finally, the workflow automatically creates a pull request with the newly generated OSCAL content, making it available for review and merging.\n\nAs a recent example of a successful [run](https://github.com/ComplianceAsCode/content/actions/runs/15688668981/job/44198205023), the merge of ComplianceAsCode/content PR [#13580](https://github.com/ComplianceAsCode/content/pull/13580)\ntriggered this workflow, which in turn automatically created oscal-content PR [#28](https://github.com/ComplianceAsCode/oscal-content/pull/28) to sync the changes.\n\n```mermaid\ngraph LR\n    A[ComplianceAsCode PR #13580] --\u003e B[Workflow Triggered]\n    B --\u003e C[Content Transformation]\n    C --\u003e D[OSCAL Content PR #28]\n```\n\nAbove, the control file defines the RHEL8 HIPAA profile. The change makes it simpler to reference this [hipaa control file](https://github.com/ComplianceAsCode/content/blob/master/controls/hipaa.yml) in the [RHEL8 HIPAA Profile](https://github.com/ComplianceAsCode/content/blob/master/products/rhel8/profiles/hipaa.profile). The rules associated with the controls are now in the control file and referenced in the RHEL8 Profile.\n\nThe control ids are updated in the OSCAL Content PR #28 triggered by the update in ComplianceAsCode/content. The `oscal-content` profiles for RHEL8/HIPAA - [rhel8-hipaa-required](https://github.com/ComplianceAsCode/oscal-content/blob/1bf63ff5e400f1bd4934007e5251a586cbcafa7a/profiles/rhel8-hipaa-required/profile.json)\n\n### Content Transformation: OSCAL to CAC\nThe `sync-oscal-cac` workflow handles the reverse synchronization, ensuring that updates to OSCAL content are reflected back in the ComplianceAsCode/content repository.\n\nThis workflow is triggered upon the merge of a pull request containing OSCAL file changes and operates as follows:\n\n- **Detect OSCAL Updates:** The workflow identifies which OSCAL files (catalogs, profiles, and component-definitions) were updated.\n\n- **Sync with ComplyScribe:** It calls the Complyscribe CLI to transform the OSCAL updates back into the standard format for controls and product profiles.\n\n- **Create Upstream PR:** The workflow automatically creates a new pull request in the ComplianceAsCode/content repository.\n\nAs a recent example of a successful [run](https://github.com/ComplianceAsCode/oscal-content/actions/runs/16161128581/job/45612912892), the PR [#49](https://github.com/ComplianceAsCode/oscal-content/pull/49) triggered this workflow, generated a ComplianceAsCode/content PR [#13680](https://github.com/ComplianceAsCode/content/pull/13680) to contribute the changes back to CAC.\n\n```mermaid\ngraph LR\n    A[OSCAL Content PR #49] --\u003e B[Workflow Triggered]\n    B --\u003e C[Detect OSCAL Updates]\n    C --\u003e D[Content Transformation via Complyscribe]\n    D --\u003e E[ComplianceAsCode PR #13680]\n```\n\nThe updates of OSCAL Content PR [#49](https://github.com/ComplianceAsCode/oscal-content/pull/49) automatically trigger the request to propose changes to the `ComplianceAsCode/content` repository content. The deletion of rules from the `component-definition.json` trigger the automatic generation of this PR [13680](https://github.com/ComplianceAsCode/content/pull/13680) in `ComplianceAsCode/content`. The PR proposes changes to the levels applied to the control file [cis_rhel8](https://github.com/ComplianceAsCode/content/pull/13680/files#diff-c97f4c1b44844a9d76570cbbc2bf8fdbceb1dc1076461fc8408870ab612cad9cR33) in `ComplianceAsCode/content`\n## Tooling\nWe utilize ComplyScribe to help author and manage the OSCAL content, ensuring it adheres to the required standards and formats.\n\n[Learn more about ComplyScribe](https://github.com/complytime/complyscribe)\n\n## Contributing\n\n**Authoring Content:** Maintainers can contribute by authoring or editing OSCAL content files in a forked repository and then opening a pull request. Once the pull request is reviewed and merged, the sync-oscal-cac synchronization workflow will be triggered automatically.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcomplianceascode%2Foscal-content","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcomplianceascode%2Foscal-content","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcomplianceascode%2Foscal-content/lists"}