Skip to content
/ continuous-ato-kit Public
forked from GovReady/continuous-ato-kit

Reference implementation of ATO Automation (continuous compliance) in CI/CD pipelines.

License

GPL-3.0 license
0 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

IvanDrag0/continuous-ato-kit

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

150 Commits
centos7-cak1-baseline
centos7-cak1-baseline
 
 
compliance-server
compliance-server
 
 
docs
docs
 
 
droplet-notes
droplet-notes
 
 
security-server
security-server
 
 
.gitignore
.gitignore
 
 
Dockerfile.centos7-ssh
Dockerfile.centos7-ssh
 
 
Enterprise.md
Enterprise.md
 
 
Jenkinsfile
Jenkinsfile
 
 
Jenkinsfile.separated
Jenkinsfile.separated
 
 
LICENSE.md
LICENSE.md
 
 
Pipeline.md
Pipeline.md
 
 
Purpose.md
Purpose.md
 
 
README.md
README.md
 
 
TryIt.md
TryIt.md
 
 
atokit-down.sh
atokit-down.sh
 
 
atokit-rm.sh
atokit-rm.sh
 
 
atokit-up.sh
atokit-up.sh
 
 
docker-compose.yml
docker-compose.yml
 
 
file_server_initial_data.json
file_server_initial_data.json
 
 
get-jenkins-password.sh
get-jenkins-password.sh
 
 
provision_compliance_server.sh
provision_compliance_server.sh
 
 
tests.py
tests.py
 
 

Repository files navigation

Continuous ATO Kit

The Continuous ATO Kit is a reference implementation of continuous compliance automation--security checking, compliance testing, and compliance artifact maintenance--in the Continuous Integration/Continuous Deployment (CI/CD) pipeline.

Diagram showing a build pipeline environment consisting of a Source Code Repository (GitHub) a Build Server (Jenkins), a Target Application Instance, a Security and Monitoring Server (OpenSCAP), a Compliance Server (GovReady-Q), a DevSecOps Workstation, and Production Environment.

The example scenerio is getting and continuously monitoring an ATO (Authority To Operate) for an IT system at an agency in the federal government under the NIST RMF (Risk Management Framework).

Documentation for this project can be found in the following documents:

  1. The Need for Continuous ATO explains why it will be valuable to incorporate the Authority to Operate A&A process into an agile build pipeline.
  2. Example Build Pipeline explains the pipeline constructed in this reference implementation, using Jenkins, a security and monitoring server running OpenSCAP and nmap, and a compliance server running GovReady-Q.
  3. Try It Using Docker Compose is a step-by-step tutorial to running the example build pipeline on your local workstation using docker-compose.
  4. Enterprise Deployment Guide is a step-by-step tutorial for deploying the pipeline on separate, virtualized servers in a data center.

About

Reference implementation of ATO Automation (continuous compliance) in CI/CD pipelines.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 81.8%
  • Python 11.8%
  • HTML 3.5%
  • Dockerfile 2.9%