Skip to content

complytime/complyctl

BranchesTags

Repository files navigation

complyctl

OpenSSF Best Practices status GoDoc OpenSSF Scorecard

ComplyCTL leverages OSCAL to perform compliance assessment activities, using plugins for each stage of the lifecycle.

Documentation

📎 Installation
📎 Quick Start
📎 Sample Component Definition

Basic Usage

Determine the baseline you want to run a scan for and create an OSCAL Assessment Plan. The Assessment Plan will act as configuration to guide the complyctl generation and scanning operations.

list command

complyctl list
...
# Table appears with options. Look at the Framework ID column.

info command

complyctl info <framework-id>
# Display information about a framework's controls and rules.

complyctl info <framework-id> --control <control-id>
# Display details about a specific control.

complyctl info <framework-id> --rule <rule-id>
# Display details about a specific rule.

plan command

complyctl plan <framework-id>
...
# The file will be written out to assessment-plan.json in the specified workspace.
# Defaults to current working directory.

cat complytime/assessment-plan.json
# The default assessment-plan.json will be available in the complytime workspace (complytime/assessment-plan.json).

complyctl plan <framework-id> --dry-run
# See the default contents of the assessment-plan.json.

Use a scope config file to customize the assessment plan:

complyctl plan <framework-id> --dry-run --out config.yml
# Customize the assessment-plan.json with the 'out' flag. Updates can be made to the config.yml.

Open the config.yml file in a text editor and modify the YAML as desired. The example below shows various options for including and excluding rules.

frameworkId: example-framework
includeControls:
- controlId: control-01
  controlTitle: Title of Control 01
  includeRules:
  - "*" # all rules included by default
- controlId: control-02
  controlTitle: Title of Control 02
  includeRules:
  - "rule-02" # only rule-02 will be included for this control
- controlId: control-03
  controlTitle: Title of Control 03
  includeRules:
  - "*"
  excludeRules:
  - "rule-03" # exclude rule-03 specific rule from control-03

globalExcludeRules:
  - "rule-99" # will be excluded for all controls, this takes priority over any includeRules clauses above

The edited config.yml can then be used with the plan command to customize the assessment plan.

complyctl plan <framework-id> --scope-config config.yml
# The config.yml will be loaded by passing '--scope-config' to customize the assessment-plan.json.

generate command

complyctl generate
# Run the `generate` command to generate the plugin specific policy artifacts in the workspace.

scan command

complyctl scan
# Run the `scan` command to execute the PVP plugins and create results artifacts. The results will be written to assessment-results.json in the specified workspace.

complyctl scan --with-md
# Results can also be created in Markdown format by passing the `--with-md` flag.

Contributing

📎 Read the contributing guidelines
📎 Read the style guide
📎 Read and agree to the Code of Conduct

Interested in writing a plugin? See the plugin guide.

About

ComplyTime project

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

6 stars

Watchers

6 watching

Forks

10 forks
Report repository

Releases 79

v0.0.9 Latest
Jul 25, 2025
+ 78 releases

Packages

No packages published

Contributors 9

Languages