Added revised controls.yaml #193
Conversation
There was a problem hiding this comment.
I'm in favor with the general direction of this, but I'm nacking it so it doesn't accidentally get merged while we address
- Updating docs
- Updating the template
- Updating tooling
I do think it would help to have a brief description of the conceptual changes here from what we currently have.
Signed-off-by: Eddie Knight <knight@linux.com>
Signed-off-by: Eddie Knight <knight@linux.com>
Signed-off-by: Eddie Knight <knight@linux.com>
Signed-off-by: Eddie Knight <knight@linux.com>
Signed-off-by: Eddie Knight <knight@linux.com>
eddie-knight
force-pushed
the
feat/new-schema
branch
from
b4eaff8 to
f796eba
Compare
| * DCO signoff (via `git commit -s` -- [OSPS-LE-01](https://baseline.openssf.org/#osps-le-01)) | ||
| * All checks must pass ([OSPS-QA-04](https://baseline.openssf.org/#osps-qa-04)) |
There was a problem hiding this comment.
This will need to be updated with the new ID scheme.
There was a problem hiding this comment.
Could we hit this and the README together in a follow-up PR?
README.md
Outdated
There was a problem hiding this comment.
The whole structure section will need to be updated, I think.
There was a problem hiding this comment.
Could we update this in a follow-on PR to review the whole README?
cmd/internal/cmd/compile.go
Outdated
There was a problem hiding this comment.
The rendered output in your preview doesn't list e.g. OSPS-AC-01.01 under all levels, only Level 1. My understanding of why we now list each level in the yaml suggests that in the rendered version, we should controls in each of the applicable levels.
There was a problem hiding this comment.
I think you're talking about the top overview, right? It took a bit of elbow grease, but the intent here is to only display it on the minimum level it applies to, so we don't have duplicates up top.
I don't think we ended up with any cases where something from a lower level will NOT be needed in a higher.
Do you think we need any changes here?
There was a problem hiding this comment.
I think you're talking about the top overview, right? It took a bit of elbow grease, but the intent here is to only display it on the minimum level it applies to, so we don't have duplicates up top.
I am, but I disagree with the intent. Right now, that's the only way for a project to make a "checklist" of things that they need to do at a given level. Since we haven't done this in the past, though, I'm willing to address that in a follow-up.
Signed-off-by: Eddie Knight <knight@linux.com>
There was a problem hiding this comment.
If @eddie-knight promises to address the outstanding documentation issues, I'm willing to accept this. :-)
Signed-off-by: Eddie Knight <knight@linux.com>
Preview
This applies changes aligned with the new schema being developed in coordination with our friends on the FINOS Common Cloud Controls project, to enable knowledge sharing and shared tooling over time.