complytime
diff --git a/‎.github/workflows/codecov.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/codecov.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 49 additions & 0 deletions b/‎.github/workflows/scorecard.yml
Lines changed: 49 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md
Lines changed: 25 additions & 11 deletions b/‎CONTRIBUTING.md
Lines changed: 25 additions & 11 deletions
diff --git a/‎README.md
Lines changed: 15 additions & 14 deletions b/‎README.md
Lines changed: 15 additions & 14 deletions
diff --git a/‎TEMPLATES/github/trestlebot-rules-transform.yml
Lines changed: 15 additions & 9 deletions b/‎TEMPLATES/github/trestlebot-rules-transform.yml
Lines changed: 15 additions & 9 deletions
diff --git a/‎actions/README.md
Lines changed: 9 additions & 9 deletions b/‎actions/README.md
Lines changed: 9 additions & 9 deletions
@@ -25,7 +25,7 @@ jobs:
         run: make test-code-cov
 
       - name: Upload artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # pin@v4
         with:
           name: coverage
           path: coverage.xml
@@ -39,7 +39,7 @@ jobs:
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
       - name: Get coverage
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # pin@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin@v4
         with:
           name: coverage
       - name: SonarCloud Scan
 
@@ -0,0 +1,49 @@
+name: Scorecard analysis workflow
+on:
+  push:
+    # Only the default branch is supported.
+    branches:
+    - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron:  '30 1 * * 6'
+
+permissions: read-all
+
+jobs:
+  analysis:
+    if: github.repository == 'RedHatProductSecurity/trestle-bot'
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # pin@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
+        with:
+          sarif_file: results.sarif
@@ -18,6 +18,7 @@ Before you start contributing, please take a moment to read through the guide be
     - [Documentation](#documentation)
       - [Architecture Decisions](#architecture-decisions)
       - [Update the `actions` files](#update-the-actions-files)
+      - [Authoring CI Workflows](#authoring-ci-workflows)
     - [License Text in Files](#license-text-in-files)
     - [Tools](#tools)
       - [Format and Styling](#format-and-styling)
@@ -72,7 +73,9 @@ For workflow diagrams, see the [diagrams](./docs/workflows/) under the `docs` fo
 #### Code structure
 
 - `actions` - Provides specific logic for `trestle-bot` tasks that are packaged as Actions. See [README.md](./actions/README.md) for more information.
-- `entrypoints` - Provides top level logic for specific user-facing tasks. These tasks are not necessarily related in any way so they are not organized into a hierarchical command structure, but they do inherit logic and flags from a base class.
+- `cli` - Provides top level logic for specific user-facing tasks. These tasks are not necessarily related so they are not organized into a hierarchical command structure, but they do share some common modules.
+- `cli/commands` - Provides top level logic for commands and their associated subcommands. The commands are accessed by the single entrypoint `root.py`.
+- `cli/options` - Provides command line options and arguments that are frequently used within `cli/commands`.
 - `provider.py, github.py, and gitlab.py` - Git provider abstract class and concrete implementations for interacting with the API.
 - `tasks` - Pre-tasks can be configured before the main git logic is run. Any task that does workspace management should go here.
 - `tasks/authored` - The `authored` package contains logic for managing authoring tasks for single instances of a top-level OSCAL model. These encapsulate logic from the `compliance-trestle` library and allows loose coupling between `tasks` and `authored` types.
@@ -97,6 +100,17 @@ Each `README.md` under the `actions` directory have an Actions Inputs and Action
 make update-action-readmes
 ```
 
+#### Authoring CI Workflows
+
+The CI workflows for trestle-bot leverage third party actions pinned to a hash value which is updated by `dependabot.yml`. The purpose of pinning actions to a full length commit SHA is to ensure that the action's code and behavior remain consistent. Actions that are pinned to full length commit SHAs act as immutable releases which allow for distinction between versions and an accurate history log. When selecting a commit SHA to include, the SHA value that is associated with the version of the action should be chosen from the associated action's repository. Dependabot checks for the action's reference against the latest version ensuring a secure and consistent approach to managing dependencies and version updating.
+
+To generate a pin for a third party action, there should be a full length commit SHA associated with the version of the action being referenced. The reference used is the full length SHA, tag, or branch that dependabot will use when updating dependencies and bumping versions.
+
+- The syntax for a specified action is: `OWNER/REPOSITORY@TAG-OR-SHA`.
+- The syntax for a specified reusable workflow is: `OWNER/REPOSITORY/PATH/FILENAME@TAG-OR-SHA`.
+
+This approach is used for authoring CI workflows that utilize versioned actions to produce frequent updates from dependabot for python and GitHub Actions.
+
 ### License Text in Files
 
 Please use the SPDX license identifier in all source files.
@@ -146,11 +160,11 @@ make test-e2e
 #### Run with poetry
 ```
 make develop
-poetry run trestlebot-autosync
-poetry run trestlebot-rules-transform
-poetry run trestlebot-create-cd
-poetry run trestlebot-sync-upstreams
-poetry run trestlebot-create-ssp
+poetry run trestlebot autosync
+poetry run trestlebot rules-transform
+poetry run trestlebot create compdef
+poetry run trestlebot sync-upstreams
+poetry run trestlebot create ssp
 ```
 
 #### Local testing
@@ -178,15 +192,15 @@ INPUT_SKIP_ITEMS=
 INPUT_DRY_RUN=true
 INPUT_SKIP_ASSEMBLE=false
 INPUT_SKIP_REGENERATE=false
-INPUT_REPOSITORY=.
+INPUT_REPO_PATH=.
 INPUT_BRANCH=test
-INPUT_MARKDOWN_PATH=markdown/profiles
+INPUT_MARKDOWN_DIR=markdown/profiles
 INPUT_OSCAL_MODEL=profile
-INPUT_SSP_INDEX_PATH=
+INPUT_SSP_INDEX_FILE=
 INPUT_COMMIT_MESSAGE=
 INPUT_COMMIT_USER_NAME=testuser
 INPUT_COMMIT_USER_EMAIL=test@example.com
-INPUT_FILE_PATTERN=*.md,*.json
+INPUT_FILE_PATTERNS=*.md,*.json
 INPUT_COMMIT_AUTHOR_NAME=
 INPUT_COMMIT_AUTHOR_EMAIL=
 INPUT_TARGET_BRANCH=
@@ -216,4 +230,4 @@ Once work on a release has been completed:
 - Initial releases will have a `major` tag (if stable), `major`.`minor`, and the full version.
 - The latest release will be rebuilt every thirty days to pull in base image updates. The same tags will
 be published with the addition of `full-version`.`date` tag.
-- Images can be built adhoc for testing purposes with the `workflow_dispatch` trigger.
+- Images can be built adhoc for testing purposes with the `workflow_dispatch` trigger.
@@ -6,34 +6,35 @@
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=rh-psce_trestle-bot&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=rh-psce_trestle-bot)
 
 
+** **Note: Trestle-bot has moved from [RedHatProductSecurity](https://github.com/RedHatProductSecurity/) to the [Complytime](https://github.com/complytime/) GitHub organization.** **
 
-trestle-bot assists users in leveraging [Compliance-Trestle](https://github.com/oscal-compass/compliance-trestle) in CI/CD workflows for [OSCAL](https://github.com/usnistgov/OSCAL) formatted compliance content management.
+trestle-bot is a CLI tool that assists users in leveraging [Compliance-Trestle](https://github.com/oscal-compass/compliance-trestle) in CI/CD workflows for [OSCAL](https://github.com/usnistgov/OSCAL) formatted compliance content management.
 
 > WARNING: This project is currently under initial development. APIs may be changed incompatibly from one commit to another.
 
 ## Getting Started
 
 ### Available Commands
 
-The `autosync` command will sync trestle-generated Markdown files to OSCAL JSON files in a trestle workspace. All content under the provided markdown directory when the action is run will be transformed. This action supports all top-level models [supported by compliance-trestle for authoring](https://oscal-compass.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring/).
+The `autosync` command will sync trestle-generated Markdown files to OSCAL JSON files in a trestle workspace. All content under the provided markdown directory will be transformed when the action is run. This action supports all top-level models [supported by compliance-trestle for authoring](https://oscal-compass.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring/).
 
 The `rules-transform` command can be used when managing [OSCAL Component Definitions](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will transform rules defined in the rules YAML view to an OSCAL Component Definition JSON file.
 
-The `create-cd` command can be used to create a new [OSCAL Component Definition](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will create a new Component Definition JSON file and corresponding directories that contain rules YAML files and trestle-generated Markdown files. This action prepares the workspace for use with the `rules-transform` and `autosync` actions.
+The `create compdef` command can be used to create a new [OSCAL Component Definition](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will create a new Component Definition JSON file and corresponding directories that contain rules YAML files and trestle-generated Markdown files. This action prepares the workspace for use with the `rules-transform` and `autosync` actions.
 
-The `sync-upstreams` command can be used to sync and validate upstream OSCAL content stored in a git repository to a local trestle workspace. Which content is synced is determined by the `include_model_names` and `exclude_model_names` inputs.
+The `sync-upstreams` command can be used to sync and validate upstream OSCAL content stored in a git repository to a local trestle workspace. The inputs `include_models` and `exclude_models` determine which content is synced to the trestle workspace.
 
-The `create-ssp` command can be used to create a new [OSCAL System Security Plans](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/system-security-plan/json-outline/) (SSP) in a trestle workspace. The action will create a new SSP JSON file and corresponding directories that contain trestle-generated Markdown files. This action prepares the workspace for use with the `autosync` action by creating or updating the `ssp-index.json` file. The `ssp-index.json` file is used to track the relationships between the SSP and the other OSCAL content in the workspace for the `autosync` action.
+The `create ssp` command can be used to create a new [OSCAL System Security Plans](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/system-security-plan/json-outline/) (SSP) in a trestle workspace. The action will create a new SSP JSON file and corresponding directories that contain trestle-generated Markdown files. This action prepares the workspace for use with the `autosync` action by creating or updating the `ssp-index.json` file. The `ssp-index.json` file is used to track the relationships between the SSP and the other OSCAL content in the workspace for the `autosync` action.
 
 Below is a table of the available commands and their current availability as a GitHub Action:
 
-| Command            | Available as a GitHub Action |
-|--------------------|------------------------------|
-| `autosync`         | &#10003;                     |
-| `rules-transform`  | &#10003;                     |                   
-| `create-cd`        | &#10003;                     |
-| `sync-upstreams`   | &#10003;                     |
-| `create-ssp`       |                              |
+| Command           | Available as a GitHub Action |
+|-------------------|------------------------------|
+| `autosync`        | &#10003;                     |
+| `rules-transform` | &#10003;                     |                   
+| `create compdef`  | &#10003;                     |
+| `sync-upstreams`  | &#10003;                     |
+| `create ssp`      |                              |
 
 For detailed documentation on how to use each action, see the README.md in each folder under [actions](./actions/).
 
@@ -47,7 +48,7 @@ provider information is supported for GitHub Actions (GitHub) and GitLab CI (Git
 
 ### Run as a Container
 
-> Note: When running the commands in a container, all are prefixed with `trestlebot` (e.g. `trestlebot-autosync`). The default entrypoint for the container is the autosync command.
+> Note: When running the commands in a container, all are prefixed with `trestlebot` (e.g. `trestlebot autosync`). The default entrypoint for the container is the autosync command.
 
 Build and run the container locally:
 
@@ -72,4 +73,4 @@ This project is licensed under the Apache 2.0 License - see the [LICENSE.md](LIC
 
 ## Troubleshooting
 
-See [TROUBLESHOOTING.md](./TROUBLESHOOTING.md) for troubleshooting tips.
+See [TROUBLESHOOTING.md](./TROUBLESHOOTING.md) for troubleshooting tips.
@@ -17,11 +17,24 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  check_rules:
+    runs-on: ubuntu-latest
+    outputs:
+      rules_changed: ${{ steps.changes.outputs.rules }}
+    steps:
+    - uses: actions/checkout@v4
+    - uses: dorny/paths-filter@v3
+      id: changes
+      with:
+        filters: |
+          rules:
+            - 'rules/**'
   rules-transform-and-autosync:
     name: Rules Transform and AutoSync
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    needs: check_rules
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -31,16 +44,9 @@ jobs:
         with:
           markdown_path: "markdown/component-definitions"
           oscal_model: "compdef"
-          file_pattern: "*.json,markdown/*"
-      - name: Check if rules changed
-        id: changes
-        uses: dorny/paths-filter@v3
-        with:
-          filters: |
-            rules:
-              - 'rules/**'
+          commit_message: "Autosync component definition content [skip ci]"
       - name: Rules Transform
-        if: steps.changes.outputs.rules == 'true'
+        if: needs.check_rules.outputs.rules_changed == 'true'
         uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
         with:
           markdown_path: "markdown/component-definitions"
 
@@ -7,13 +7,13 @@ This document provides instructions and examples for creating and using GitHub A
 ## Directory Structure
 
 - Actions related to trestle-bot are located in the `actions` directory.
-- Actions should correlate an entrypoint under the `trestlebot/entrypoints` directory.
+- Actions should correlate a command under the `trestlebot/cli/commands` directory.
 
 ## Adding a New Action
 
 Contributors should scope trestle-bot actions to workspace management and checks. To add a new action:
 
-> Prerequisite: An entrypoint was created under the `trestlebot/entrypoints` directory and added to the `pyproject.toml` under `[tool.poetry.scripts]`
+> Prerequisite: An entrypoint was created under the `trestlebot/cli` directory and added to the `pyproject.toml` under `[tool.poetry.scripts]`
 
 1. Create a new directory in the `actions` directory.
 2. In the new directory, create an `action.yml` file that references the Dockerfile in the root of the repository.
@@ -48,7 +48,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: RedHatProductSecurity/trestle-bot/actions/create-cd@main
         with:
-          markdown_path: "markdown/components"
+          markdown_dir: "markdown/components"
           profile_name: "my-profile"
           component_definition_name: "my-component-definition"
           component_title: "my-component"
@@ -96,7 +96,7 @@ jobs:
         id: autosync
         uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
         with:
-          markdown_path: "md_comp"
+          markdown_dir: "md_comp"
           oscal_model: "compdef"
           commit_message: "Autosync component definition content [skip ci]"
       # Rule transformation is not idempotent, so you may only want to run this
@@ -115,7 +115,7 @@ jobs:
         id: transform
         uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
         with:
-          markdown_path: "md_comp"
+          markdown_dir: "md_comp"
           commit_message: "Auto-transform rules [skip ci]" 
 ```
 
@@ -148,7 +148,7 @@ jobs:
         id: autosync
         uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
         with:
-          markdown_path: "md_comp"
+          markdown_dir: "md_comp"
           oscal_model: "compdef"
           dry_run: true
       - uses: dorny/paths-filter@v3
@@ -162,7 +162,7 @@ jobs:
         id: transform
         uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
         with:
-          markdown_path: "md_comp"
+          markdown_dir: "md_comp"
           dry_run: true
 ```
 
@@ -210,7 +210,7 @@ jobs:
       if: steps.trestlebot.outputs.changes == 'true'
       uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
       with:
-        markdown_path: "markdown/components"
+        markdown_dir: "markdown/components"
         oscal_model: "compdef"
         branch: "sync-upstream-${{ github.run_id }}"
         skip_assemble: true
@@ -244,7 +244,7 @@ jobs:
       - name: Autosync
         uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
         with:
-          markdown_path: "md_comp"
+          markdown_dir: "md_comp"
           oscal_model: "compdef"
           commit_message: "Update content for release [skip ci]"
           version: ${{ github.event.inputs.version }}