{"id":13600612,"url":"https://github.com/defenseunicorns/lula","last_synced_at":"2025-10-04T04:59:56.499Z","repository":{"id":314091999,"uuid":"1042247939","full_name":"defenseunicorns/lula","owner":"defenseunicorns","description":"A tool for managing compliance as code in your GitHub repositories. :unicorn:","archived":false,"fork":false,"pushed_at":"2025-10-01T18:35:13.000Z","size":7765,"stargazers_count":8,"open_issues_count":22,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-01T19:28:22.897Z","etag":null,"topics":["compliance","compliance-as-code"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/defenseunicorns.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-21T17:58:15.000Z","updated_at":"2025-10-01T18:03:53.000Z","dependencies_parsed_at":"2025-09-10T15:57:09.750Z","dependency_job_id":"ad0ea510-70a7-4454-adc4-e6764b2ca0f9","html_url":"https://github.com/defenseunicorns/lula","commit_stats":null,"previous_names":["defenseunicorns/lula"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/defenseunicorns/lula","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defenseunicorns%2Flula","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defenseunicorns%2Flula/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defenseunicorns%2Flula/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defenseunicorns%2Flula/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/defenseunicorns","download_url":"https://codeload.github.com/defenseunicorns/lula/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defenseunicorns%2Flula/sbom","scorecard":{"id":1237403,"data":{"date":"2025-08-29T05:44:55Z","repo":{"name":"github.com/defenseunicorns/lula","commit":"8dad3b6b63c807f00f836397588ef4b6b2fe180c"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":7.6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disable on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"project has 6 contributing companies or organizations","details":["Info: cncf contributor org/company found, defenseunicorns contributor org/company found, zarf-dev contributor org/company found, mission-focused contributor org/company found, defense unicorns contributor org/company found, devopsdojoconsortium contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: RenovateBot: renovate.json:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: src/cmd/dev/validate_test.go:24","Info: GoBuiltInFuzzer integration found: src/cmd/dev/validate_test.go:24","Info: GoBuiltInFuzzer integration found: src/pkg/common/common_test.go:24","Info: GoBuiltInFuzzer integration found: src/pkg/common/common_test.go:24","Info: GoBuiltInFuzzer integration found: src/pkg/common/common_test.go:24","Info: GoBuiltInFuzzer integration found: src/pkg/common/oscal/assessment-results_test.go:24","Info: GoBuiltInFuzzer integration found: src/pkg/common/oscal/common_test.go:24","Info: GoBuiltInFuzzer integration found: src/pkg/common/oscal/common_test.go:24","Info: GoBuiltInFuzzer integration found: src/pkg/common/oscal/multi-validate_test.go:24"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  27 out of  27 GitHub-owned GitHubAction dependencies pinned","Info:   6 out of   6 third-party GitHubAction dependencies pinned","Info:   1 out of   1 npmCommand dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 28 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.16.0 not signed: https://api.github.com/repos/defenseunicorns/lula/releases/197847666","Warn: release artifact v0.15.0 not signed: https://api.github.com/repos/defenseunicorns/lula/releases/195421644","Warn: release artifact v0.14.0 not signed: https://api.github.com/repos/defenseunicorns/lula/releases/191931566","Warn: release artifact v0.13.0 not signed: https://api.github.com/repos/defenseunicorns/lula/releases/189490139","Warn: release artifact v0.12.0 not signed: https://api.github.com/repos/defenseunicorns/lula/releases/187073918","Warn: release artifact v0.16.0 does not have provenance: https://api.github.com/repos/defenseunicorns/lula/releases/197847666","Warn: release artifact v0.15.0 does not have provenance: https://api.github.com/repos/defenseunicorns/lula/releases/195421644","Warn: release artifact v0.14.0 does not have provenance: https://api.github.com/repos/defenseunicorns/lula/releases/191931566","Warn: release artifact v0.13.0 does not have provenance: https://api.github.com/repos/defenseunicorns/lula/releases/189490139","Warn: release artifact v0.12.0 does not have provenance: https://api.github.com/repos/defenseunicorns/lula/releases/187073918"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-please.yaml:16","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release.yaml:16","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yaml:76","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scan-codeql.yaml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scan-codeql.yaml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scan-gosec.yaml:17","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scan-gosec.yaml:18","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scan-kics.yaml:17","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scan-kics.yaml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/commitlint.yaml:10","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/commitlint.yaml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/golangci-lint.yaml:9","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/golangci-lint.yaml:10","Info: topLevel permissions set to 'read-all': .github/workflows/goreleaser-check.yaml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-please.yaml:9","Info: topLevel 'packages' permission set to 'read': .github/workflows/release.yaml:5","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yaml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/scan-codeql.yaml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/scan-gosec.yaml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/scan-kics.yaml:4","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yaml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-e2e.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-fuzz.yaml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-unit.yaml:4"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":4,"reason":"6 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-6m8w-jc87-6cr7 / GO-2025-3660","Warn: Project is vulnerable to: GHSA-jc7w-c686-c4v9","Warn: Project is vulnerable to: GHSA-hcg3-q754-cr77 / GO-2025-3487","Warn: Project is vulnerable to: GHSA-qxp5-gwg8-xv66 / GO-2025-3503","Warn: Project is vulnerable to: GHSA-vvgc-356p-c3xw / GO-2025-3595","Warn: Project is vulnerable to: GHSA-6v2p-p543-phr9 / GO-2025-3488"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-09-10T18:11:10.245Z","repository_id":314091999,"created_at":"2025-09-10T18:11:10.245Z","updated_at":"2025-09-10T18:11:10.245Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278266896,"owners_count":25958733,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-04T02:00:05.491Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","compliance-as-code"],"created_at":"2024-08-01T18:00:44.838Z","updated_at":"2025-10-04T04:59:56.493Z","avatar_url":"https://github.com/defenseunicorns.png","language":"TypeScript","funding_links":[],"categories":["Tools","Evidence and Audit"],"sub_categories":["OSCAL Tooling"],"readme":"# Lula - GitOps for Compliance\n\n\u003cimg src=\"static/lula.png\" alt=\"Lula Logo\" width=\"150\" align=\"right\" /\u003e\n\n\u003e [!IMPORTANT]\n\u003e This project is still in its early stages. Expect breaking changes.\n\u003e\n\u003e Looking for the original Lula OSCAL compliance validator? Go to [defenseunicorns-labs/lula1](https://github.com/defenseunicorns-labs/lula1)\n\u003e\n\u003e _Lula 1 is in maintenance mode and not receiving active updates or new features._\n\n[![Npm package license](https://badgen.net/npm/license/lula-next)](https://npmjs.com/package/lula-next)\n[![Known Vulnerabilities](https://snyk.io/test/npm/lula-next/badge.svg)](https://snyk.io/advisor/npm-package/lula-next)\n[![Npm package version](https://badgen.net/npm/v/lula-next)](https://npmjs.com/package/lula-next)\n[![Npm package total downloads](https://badgen.net/npm/dt/lula-next)](https://npmjs.com/package/lula-next)\n[![codecov](https://codecov.io/gh/defenseunicorns/lula/graph/badge.svg?token=FZV3DSS8NF)](https://codecov.io/gh/defenseunicorns/lula)\n\nBring GitOps principles to compliance management. Lula treats security controls as code, enabling teams to manage compliance frameworks (NIST 800-53, CIS, SOC2) through pull requests, code reviews, and automated workflows—just like your application code in a user-friendly web interface. Your data stays your data--Lula takes spreadsheet imports, lets you drag \u0026 drop the UI layout and version control the data as yaml automatically for you.\n\n## Quickstart\n\nRun Lula directly with npx (no installation required):\n\n```bash\nnpx lula2\n```\n\n**Import an eMASS Spreadsheet**\n\nThe first step is to import an eMASS spreadsheet into Lula. A sample file is provided at: [samples/fake-controls.xlsx](samples/fake-controls.xlsx)\n\n**Continue with Lula Workflow**\n\nOnce the spreadsheet is imported, you can proceed with the standard Lula workflow creating mappings to controls.\n\n## Why GitOps for Compliance?\n\n- **Version Everything**: Every control change, ui change, mapping is tracked, reviewable, and revertable\n- **Pull Request Workflows**: Review compliance changes before they go live\n- **Branch Strategies**: Test control changes in isolated branches\n- **Automated Validation**: CI/CD pipelines can validate control completeness\n- **Audit Trail**: Git history provides immutable audit logs\n- **Collaborative Review**: Security, compliance, and engineering teams collaborate through PRs\n- **Automated Change Detection**: Map controls to source code via generated UUIDs and track when code changes impact your compliance posture\n\n## Key Features\n\n- **Controls as Code**: Each control stored as an individual YAML file\n- **Import/Export**: Import any generic spreadsheet with column headers, including from tools like EMASS\n- **Smart Formatting**: Automatic text processing for control descriptions and procedures\n- **Source Mappings**: Link controls to actual code implementations\n- **Multi-Framework**: Support NIST, CIS, SOC2, and custom frameworks in one repo\n- **Git Timeline**: Visual history of all control changes\n\n## Interface Features\n\nOnce launched, you can:\n\n- **Browse Controls**: Navigate through control families and individual controls\n- **Edit Controls**: Update implementation narratives, status, and properties\n- **Track Changes**: View Git history and timeline for each control\n- **Manage Mappings**: Link controls to source code and documentation\n- **Import Data**: Use the setup page to import OSCAL catalogs or existing control sets\n- **Export Reports**: Generate compliance reports and assessments\n\n## Learning from Lula 1\n\nWe built Lula 2 after discovering key limitations with the OSCAL-based approach:\n\n**Challenges in Lula 1:**\n\n- OSCAL proved too complex for most teams to work with effectively\n- Automated tests alone were insufficient for real compliance verification\n- The format made collaboration and review difficult\n\n**Lula 2's Approach:**\n\n- **Simple YAML + Spreadsheets**: Import from any spreadsheet tool (including EMASS), no OSCAL knowledge required\n- **Human + AI Analysis**: Recognizes that compliance requires human judgment augmented by AI reasoning, not just automated tests\n- **Git-native**: Use standard diff tools and pull requests for review\n- **Web UI**: Intuitive interface that anyone can use, not just CLI experts\n- **Change Impact Tracking**: Maps controls to actual code and tracks when changes might affect compliance\n\nThis evolution reflects our learning that effective compliance management needs to be accessible to all stakeholders—not just those who can navigate complex standards or write validation code.\n\n## Commands\n\n### UI Command\n\nBy default, the web interface is launched as the root command, but if you need to provide configuration flags:\n\n```bash\n\u003e npx lula2 ui\n```\n\n### Crawl Command\n\nAnalyze pull requests for compliance impact:\n\n```bash\n\u003e OWNER=defenseunicorns REPO=lula  PULL_NUMBER=126 GITHUB_TOKEN=$(gh auth token) npx lula2 crawl --post-mode=comment                   \nAnalyzing PR #126 in defenseunicorns/lula for compliance changes...\nCommenting regarding `integration/test-files/ex.ts`.\nCommenting regarding `integration/test-files/ex.yaml`.\n\nPosted (comment)\n----------------\n\n## Lula Compliance Overview\n\nPlease review the changes to ensure they meet compliance standards.\n\n### Reviewed Changes\n\nLula reviewed 2 files changed that affect compliance.\n\n\n\n---\n| File | Lines Changed |\n| ---- | ------------- |\n| `integration/test-files/ex.ts` | `20–31` |\n\u003e **uuid**-`123e4567-e89b-12d3-a456-426614174000`\n **sha256** `f889702fd3330d939fadb5f37087948e42a840d229646523989778e2b1586926`\n\n\n\n---\n| File | Lines Changed |\n| ---- | ------------- |\n| `integration/test-files/ex.yaml` | `1–5` |\n\u003e **uuid**-`123e4567-e89b-12d3-a456-426614174001`\n **sha256** `f6b6f51335248062b003696623bfe21cea977ca7f4e4163b182b0036fa699eb4`\n\n\n\n---\n\n\u003csub\u003e**Tip:** Customize your compliance reviews with \u003ca href=\"https://github.com/defenseunicorns/lula.git\" class=\"Link--inTextBlock\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eLula\u003c/a\u003e.\u003c/sub\u003e\n```\n\n### Version Command\n\n```bash\n\u003e npx lula2 --version\n```\n\n## Project Structure\n\nLula organizes controls in a Git-friendly structure:\n\n```\nmy-compliance-project/\n├── lula.yaml                    # Control set metadata\n├── controls/                    # Individual control files\n│   ├── AC/                      # Access Control family\n│   │   ├── AC-1.yaml\n│   │   ├── AC-2.yaml\n│   │   └── AC-2_1.yaml         # Control enhancements\n│   ├── AU/                      # Audit family\n│   │   └── ...\n│   └── ...\n└── mappings/                    # Source code mappings\n    ├── AC/\n    │   └── AC-1-mappings.yaml\n    └── ...\n```\n\n### Control File Format\n\nEach control is stored as a YAML file with a consistent schema based on the imported spreadsheet:\n\n```yaml\nid: AC-1\ntitle: Access Control Policy and Procedures\nfamily: AC\ndescription: |\n  The organization develops, documents, and disseminates...\nimplementation_status: Implemented\nsecurity_control_designation: Hybrid\ncontrol_implementation_narrative: |\n  Our organization implements AC-1 through...\nimplementation_guidance: |\n  Step-by-step guidance for implementing this control...\nassessment_procedures: |\n  Methods for assessing control effectiveness...\ntest_results: |\n  Results from the latest assessment...\nproperties:\n  priority: P1\n  responsible_role: CISO\n  last_reviewed: 2024-01-15\n```\n\n## Features in Detail\n\n### GitOps Workflow\n\nManage compliance like code with full GitOps practices:\n\n```bash\n# Create feature branch for control updates\ngit checkout -b update-ac-controls\n\n# Make changes through Lula UI\nnpx lula2\n\n# Commit changes\ngit add controls/\ngit commit -m \"Updated AC family implementation narratives\"\n\n# Push and create PR\ngit push origin update-ac-controls\n# → Team reviews changes in PR\n# → CI validates control completeness\n# → Merge when approved\n```\n\n### Smart Text Processing\n\nLula automatically formats complex text fields:\n\n- Detects and styles headers (Description:, Guidance:, etc.)\n- Converts CSV data into formatted tables\n- Properly formats lists and bullet points\n- Highlights control IDs and CCI references\n\n### Control Mappings\n\nLink controls to actual implementations using a UUID:\n\n```yaml\n- control_id: AC-10_3\n  justification: 'This is my reason this is compliant'\n  status: implemented\n  source_entries: [source: src/auth/policies.ts]\n  uuid: 439489d2-c1db-4ab4-a4dd-d0a6f4a0dd24\n  last_validated: 2024-01-15\n```\n\n## GitOps Benefits for Compliance\n\n### For Compliance Teams\n\n- **Review Process**: Control changes go through pull request reviews\n- **Rollback**: Instantly revert problematic control updates\n- **Branching**: Test control changes without affecting production\n- **History**: Complete audit trail in Git log\n- **Protection**: Leverage `CODEOWNERS` to limit who can edit controls/mappings or change the UI\n- **Monitoring**: Leverage SCM tools to track key changes/issues\n\n### For Security Engineers\n\n- **Infrastructure as Code**: Compliance configurations alongside IaC\n- **Automation**: Trigger compliance checks on control changes\n- **Integration**: Controls in the same repo as security policies\n- **Validation**: Pre-commit hooks for control completeness\n\n### For Auditors\n\n- **Immutable History**: Git provides tamper-evident audit logs when combined with SCM tooling\n- **Change Attribution**: Every change linked to a person and reason\n- **Point-in-Time**: View controls as they were at any date\n- **Evidence Chain**: PRs document review and approval process\n\n## Configuration\n\n### lula.yaml\n\nManaged by the UI for you, each control set includes a configuration file:\n\n```yaml\nname: NIST 800-53 Rev 4 Moderate\nversion: 4.0.0\ndescription: NIST Special Publication 800-53 Security Controls\nsource: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final\nfamilies:\n  - id: AC\n    name: Access Control\n  - id: AU\n    name: Audit and Accountability\n  # ... more families\n```\n\n## Troubleshooting\n\n### Common Issues\n\n**No control sets found:**\n\n- Ensure you have a `lula.yaml` file in your control set directory\n- Check that control files are in the correct structure\n\n**WebSocket connection failed:**\n\n- Verify the port is not in use\n- Check firewall settings\n- Ensure both frontend and backend are running\n\n**Git history not showing:**\n\n- Verify the directory is a Git repository\n- Ensure Git is installed and accessible\n- Check file permissions\n\n## Development\n\n### Prerequisites\n\n- Node.js 22+\n- Git (for version history features)\n- pnpm (recommended) or npm\n\n### Local Development\n\n```bash\n# Clone the repository\ngit clone https://github.com/defenseunicorns/lula.git\ncd lula\n\n# Install dependencies\npnpm install\n\n# Run development servers\npnpm run dev:full  # Runs both frontend and backend\n```\n\n### Build\n\n```bash\npnpm run build\n```\n\n## Architecture\n\n- **Frontend**: SvelteKit 5 with Tailwind CSS\n- **Backend**: Express + WebSocket server\n- **Storage**: YAML files with Git integration\n- **State Management**: Svelte 5 runes\n- **CLI**: Commander.js with TypeScript\n\n## Contributing\n\nWe welcome contributions! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n## License\n\nApache-2.0 - See [LICENSE](LICENSE) for details.\n\n## Support\n\n- **Documentation**: [https://lula.dev/docs](https://lula.dev/docs)\n- **Issues**: [GitHub Issues](https://github.com/defenseunicorns/lula2/issues)\n- **Discussions**: [GitHub Discussions](https://github.com/defenseunicorns/lula2/discussions)\n\n## Related Projects\n\n- [Lula 1 (Original CLI)](https://github.com/defenseunicorns-labs/lula1) - OSCAL-based compliance validator CLI\n- [OSCAL](https://pages.nist.gov/OSCAL/) - Open Security Controls Assessment Language\n\n## Credits\n\nDeveloped by [The Lula Authors](https://github.com/defenseunicorns/lula2/graphs/contributors)\n\nPart of the Defense Unicorns ecosystem for secure, compliant software delivery.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefenseunicorns%2Flula","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdefenseunicorns%2Flula","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefenseunicorns%2Flula/lists"}