← All projects
06 INTERMEDIATE

Compliance-to-policy pipeline

CI/CD pipeline converting OSCAL profiles into executable OPA/Rego policies via GitHub Actions.

Overview

Full GitOps compliance-as-code workflow: commit an OSCAL profile, get executable enforcement policy. The pipeline parses control selections from OSCAL, generates Rego rules per control, runs tests, and deploys to the OPA enforcement tier — entirely automated.

Implementation

Triggered on OSCAL file changes in the repo. Parses control baselines, generates one Rego rule per control with correct metadata, runs policy unit tests (one per rule), produces a coverage report, deploys to OPA, and posts a pass/fail summary as a GitHub PR check.

Terminal output
compliance-to-policy-pipeline.py
[PR #44] Add FedRAMP Moderate profile Parsing: oscal-fedramp-moderate.xml Controls selected: 325 Generating Rego rules... ✓ 325 / 325 rules generated Running policy tests... ✓ 325 / 325 tests passed Deploying to OPA... ✓ Bundle pushed: compliance-v2.4.1 PR check: PASSED ✓
Stack
GitHub ActionsOSCALOPA/RegoPython
Source code

Full implementation, tests, and documentation available on GitHub.

View on GitHub ↗