Merge pull request #1 from theopenlane/init

init: jsonschema for controls, templates for soc2, nist-csf, nist-800-53

.buildkite/pipeline.yaml

@@ -0,0 +1,69 @@
+env:
+  APP_NAME: ${BUILDKITE_PIPELINE_SLUG}
+  SONAR_HOST: "https://sonarcloud.io"
+steps:
+  - group: ":test_tube: Tests"
+    key: "tests"
+    steps:
+      - label: ":golangci-lint: lint :lint-roller:"
+        key: "lint"
+        plugins:
+          - docker#v5.11.0:
+              image: "ghcr.io/theopenlane/build-image:latest"
+              always-pull: true
+              cancel_on_build_failing: true
+              command: ["task", "go:lint"]
+              environment:
+                - "GOTOOLCHAIN=auto"
+      - label: ":golang: go test"
+        key: "go_test"
+        plugins:
+          - docker#v5.11.0:
+              image: "ghcr.io/theopenlane/build-image:latest"
+              always-pull: true
+              command: ["task", "go:test:cover"]
+        artifact_paths: ["coverage.out"]
+  - group: ":closed_lock_with_key: Security Checks"
+    depends_on: "tests"
+    key: "security"
+    steps:
+      - label: ":closed_lock_with_key: gosec"
+        key: "gosec"
+        plugins:
+          - docker#v5.11.0:
+              image: "securego/gosec:2.20.0"
+              command: ["-no-fail", "-exclude-generated", "-fmt sonarqube", "-out", "results.txt", "./..."]
+              environment:
+                - "GOTOOLCHAIN=auto"
+        artifact_paths: ["results.txt"]
+      - label: ":github: upload PR reports"
+        key: "scan-upload-pr"
+        if: build.pull_request.id != null
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: "results.txt"
+          - artifacts#v1.9.4:
+              download: "coverage.out"
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:11"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"
+                - "SONAR_SCANNER_OPTS=-Dsonar.pullrequest.branch=$BUILDKITE_BRANCH -Dsonar.pullrequest.base=$BUILDKITE_PULL_REQUEST_BASE_BRANCH -Dsonar.pullrequest.key=$BUILDKITE_PULL_REQUEST"
+      - label: ":github: upload reports"
+        key: "scan-upload"
+        if: build.branch == "main"
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: results.txt
+          - artifacts#v1.9.4:
+              download: coverage.out
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:11"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @theopenlane/blacksmiths

.github/CONTRIBUTING.md

@@ -0,0 +1,24 @@
+# Contributing
+
+Given external users will not have write to the branches in this repository, you'll need to follow the forking process to open a PR - [here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) is a guide from github on how to do so.
+
+Please also read our main [contributing guide](https://github.com/theopenlane/.github/blob/main/CONTRIBUTING.md) in addition to this one; the main guide mostly says that we'd like for you to open an issue first but it's not hard-required, and that we accept all forms of proposed changes given the state of this code base (in it's infancy, still!)
+
+## Pre-requisites to a PR
+
+This repository contains a number of code generating functions / utilities which take schema modifications and scaffold out resolvers, graphql API schemas, openAPI specifications, among other things. To ensure you've generated all the necessary dependencies run `task pr`; this will run the entirety of the commands required to safely generate a PR. If for some reason one of the commands fails / encounters an error, you will need to debug the individual steps. It should be decently easy to follow the `Taskfile` in the root of this repository.
+
+### Pre-Commit Hooks
+
+We have several `pre-commit` hooks that should be run before pushing a commit. Make sure this is installed:
+
+```bash
+brew install pre-commit
+pre-commit install
+```
+
+You can optionally run against all files:
+
+```bash
+pre-commit run --all-files
+```

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,16 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug or issue you're encountering**
+
+
+**What are the relevant steps to reproduce, including the version(s) of the relevant software?**
+
+
+**What is the expected behavior?**

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,14 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[Feature Request]"
+labels: enhancement
+assignees: matoszz
+
+---
+
+**Describe how the feature might make your life easier or solve a problem**
+
+**Describe the solution you'd like to see with any relevant context**
+
+**Describe any alternatives you've considered or if there are short-tern vs. long-term options**

.github/labeler.yml

@@ -0,0 +1,37 @@
+# Add 'bug' label to any PR where the head branch name starts with `bug` or has a `bug` section in the name
+bug:
+  - head-branch: ["^bug", "bug"]
+# Add 'enhancement' label to any PR where the head branch name starts with `enhancement` or has a `enhancement` section in the name
+enhancement:
+  - head-branch: ["^enhancement", "enhancement", "^feature", "feature", "^enhance", "enhance", "^feat", "feat"]
+# Add 'breaking-change' label to any PR where the head branch name starts with `breaking-change` or has a `breaking-change` section in the name
+breaking-change:
+  - head-branch: ["^breaking-change", "breaking-change"]
+# Add 'dependencies' label to any PR where the head branch name starts with `dependencies` or has a `dependencies` section in the name
+dependencies:
+  - head-branch: ["^dependencies", "dependencies", "^deps", "deps"]
+ci:
+  - changed-files:
+      - any-glob-to-any-file: .github/**
+      - any-glob-to-any-file: .buildkite/**
+cli:
+  - changed-files:
+      - any-glob-to-any-file: cmd/**
+templates:
+  - changed-files:
+      - any-glob-to-any-file: templates/**
+soc2:
+  - changed-files:
+      - any-glob-to-any-file: frameworks/soc2/**
+nist-800-53:
+  - changed-files:
+      - any-glob-to-any-file: frameworks/nist80053/**
+nist-csf:
+  - changed-files:
+      - any-glob-to-any-file: frameworks/nistcsf/**
+iso27001:
+  - changed-files:
+      - any-glob-to-any-file: frameworks/iso27001/**
+jsonschema:
+  - changed-files:
+      - any-glob-to-any-file: schema/jsonschema/**

.github/release.yml

@@ -0,0 +1,24 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors: []
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - Semver-Major
+        - breaking-change
+    - title: New Features 🎉
+      labels:
+        - Semver-Minor
+        - enhancement
+        - feature
+    - title: Bug Fixes 🐛
+      labels:
+        - bug
+    - title: 👒 Dependencies
+      labels:
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/labeler.yaml

@@ -0,0 +1,13 @@
+name: "Pull Request Labeler"
+on:
+  - pull_request_target
+jobs:
+  triage:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v5
+        with:
+          sync-labels: true

.gitignore

@@ -23,3 +23,6 @@ go.work.sum
 
 # env file
 .env
+
+# vscode
+.vscode/*

.golangci.yaml

@@ -0,0 +1,40 @@
+run:
+  timeout: 10m
+  allow-serial-runners: true
+linters-settings:
+  goimports:
+    local-prefixes: github.com/theopenlane/policytemplates
+  gofumpt:
+    extra-rules: true
+  gosec:
+    exclude-generated: true
+  revive:
+    ignore-generated-header: true
+linters:
+  enable:
+    - bodyclose
+    - errcheck
+    - gocritic
+    - gocyclo
+    - err113
+    - gofmt
+    - goimports
+    - mnd
+    - gosimple
+    - govet
+    - gosec
+    - ineffassign
+    - misspell
+    - noctx
+    - revive
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unused
+    - whitespace
+    - wsl
+issues:
+  fix: true
+  exclude-use-default: true
+  exclude-dirs: []
+  exclude-files: []

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+default_stages: [pre-commit]
+fail_fast: true
+default_language_version:
+  golang: system
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: references\/.*|templates\/.*
+      - id: detect-private-key
+  - repo: https://github.com/google/yamlfmt
+    rev: v0.13.0
+    hooks:
+      - id: yamlfmt
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.25.0
+    hooks:
+      - id: typos

.typos.toml

@@ -0,0 +1,20 @@
+[files]
+extend-exclude = ["go.mod","go.sum"]
+ignore-hidden = true
+ignore-files = true
+ignore-dot = true
+ignore-vcs = true
+ignore-global = true
+ignore-parent = true
+
+[default]
+binary = false
+check-filename = true
+check-file = true
+unicode = true
+ignore-hex = true
+identifier-leading-digits = false
+locale = "en"
+extend-ignore-identifiers-re = []
+extend-ignore-words-re = ["(?i)requestor","(?i)encrypter","(?i)seeked","(?i)indentity"]
+extend-ignore-re = ["(?Rm)^.*//\\s*spellchecker:disable-line$"]

.yamlfmt

@@ -0,0 +1,4 @@
+exclude:
+  - config/
+formatter:
+  retain_line_breaks: true

README.md

@@ -0,0 +1,66 @@
+# Policy Templates
+
+## Description
+
+This repository contains audit compliance templates for multiple frameworks
+including:
+
+- SOC2
+- NIST CSF
+- NIST 800-53
+- ISO27001
+- ... more to come ...
+
+## Usage
+
+There is a `cli` included to generate and validate standards based on a csv
+input. This will parse the data in the provided format and output to a standard
+which must conform to the [jsonschema](schema/jsonschema/frameworks.json)
+
+### Schema
+
+1. Run `task schema` to regenerate the jsonschema(s) based on the framework go
+   structs
+
+   ```
+   task schema
+   task: [schema] go run main.go schema
+   12:55PM INF generating schema
+   12:55PM INF writing schema to file
+   12:55PM INF schema generated successfully file location=schema/jsonschema/frameworks.json
+   ```
+
+### Parse
+
+1. Run `task parse` (or you can run `go run main.go parse` directly), which will
+   bring up a cli prompt
+1. Make a `framework` selection
+   ```
+   task parse
+   task: [parse] go run main.go parse
+   Use the arrow keys to navigate: ↓ ↑ → ←  and / toggles search
+   Frameworks:
+   👉 SOC2
+       NIST CSF
+       NIST 800-53
+       ISO 27001:2022
+
+   Description:        2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022)
+   ```
+1. Make an `output` selection
+   ```
+   task parse
+   task: [parse] go run main.go parse
+   👉 NIST CSF
+   Use the arrow keys to navigate: ↓ ↑ → ←  and / toggles search
+   Output Format:
+   👉 Save To File
+   Standard Out - JSON
+   ```
+1. Result will either go to `stdout` or the files in `templates/standards`
+   depending on the selection
+   ```
+   2:23PM INF parsing compliance standards format=file framework=nist-csf
+   2:23PM INF validating standards against schema
+   2:23PM INF standards saved to file filename=templates/standards/nist-csf-1.1.json
+   ```