Lula in CI

Lula is designed to evaluate the continual compliance of a system, and as such is a valuable tool to implement in a CI environment to provide rapid feedback to developers if a system moves out of compliance. The Lula-Action Repo supports the use of Lula in github workflows and this document provides an outline for implementation.

Pre-Requisite

To use Lula to validate and evaluate a system in development, a pre-requisite is having an OSCAL Component Definition model, along with linked Lula Validations existing in the repository, a sample structure follows:

.
|-- .github
|   |-- workflows
|-- |-- |-- lint.yaml # Existing workflow to lint
|-- |-- |-- test.yaml # Existing workflow to test system
|-- README.md
|-- LICENSE
|-- compliance
|-- |-- oscal-component.yaml # OSCAL Component Definition
|-- src
|   |-- main
|   |-- test

Steps

  1. Add Lula linting to .github/workflows/lint.yaml:

    name: Lint
    
    on:
        pull_request:
            branches: [ "main" ]
    
    jobs:
        lint:
            runs-on: ubuntu-latest
    
            # ... Other jobs
    
            - name: Setup Lula
              uses: defenseunicorns/lula-action/setup@main
              with:
                version: v0.4.1
    
            - name: Lint OSCAL file
              uses: defenseunicorns/lula-action/lint@main
              with:
                oscal-target: ./compliance/oscal-component.yaml
    
            # ... Other jobs
    

    Additional linting targets may be added to this list as comma separated values, e.g., component1.yaml,component2.yaml. Note that linting is only validating the correctness of the OSCAL.

  2. Add Lula validation and evaluation to the testing workflow, .github/workflows/test.yaml:

    name: Test
    
    on:
    pull_request:
        branches: [ "main" ]
    
    jobs:
        test:
            runs-on: ubuntu-latest
    
            # ... Other jobs
    
            - name: Setup Lula
              uses: defenseunicorns/lula-action/setup@main
              with:
                version: v0.4.1
    
            - name: Validate Component Definition
              uses: defenseunicorns/lula-action/validate@main
              with:
                oscal-target: ./compliance/oscal-component.yaml
                threshold: ./assessment-results.yaml
    
            # ... Other jobs
        test-upgrade:
            runs-on: ubuntu-latest
    
            # ... Jobs to deploy previous system version 
    
            - name: Setup Lula
              uses: defenseunicorns/lula-action/setup@main
              with:
                version: v0.4.1
    
            - name: Validate Component Definition
              uses: defenseunicorns/lula-action/validate@main
              with:
                oscal-target: ./compliance/oscal-component.yaml
                threshold: ./assessment-results.yaml
    
            # ... Jobs to upgrade system to current version
    

    The first validate under test outputs an assessment-results model that provide the assessment of the system in the current state. The second validate that occurs in the test-upgrade job runs a validation on the previous version of the system prior to upgrade. It then compares the old and new assessment results to either pass or fail the job - failure occurs when the current system’s compliance is worse than the old system.