AgentSkillsCN

trestle-task-system

了解 Compliance Trestle 的数据转换与变换任务系统。适用于用户询问 CSV 导入、XLSX 导入、XCCDF 结果、Tanium 结果、CIS 基准、将数据转换为 OSCAL、config.ini 任务配置、Trestle 任务,或如何将扫描结果转化为评估结果时使用。

SKILL.md
--- frontmatter
name: trestle-task-system
description: >-
  Knowledge about the Compliance Trestle task system for data conversion and transformation.
  Use when users ask about CSV import, XLSX import, XCCDF results, Tanium results, CIS benchmarks,
  data conversion to OSCAL, config.ini task configuration, trestle tasks, or converting scan results
  to assessment results.
allowed-tools: Bash, Read, Glob, Grep, Write, Edit

Trestle Task System

The trestle task system converts external data formats (CSV, XLSX, XCCDF, Tanium, CIS benchmarks) into OSCAL documents and vice versa. Tasks are configured via config.ini sections and run with trestle task <name>.

Available Tasks

Into OSCAL

Task NameInput FormatOutput OSCAL Type
csv-to-oscal-cdCSVComponent Definition
xlsx-to-oscal-cdXLSXComponent Definition
xlsx-to-oscal-profileXLSXProfile
xccdf-result-to-oscal-arXCCDF XML resultsAssessment Results
tanium-result-to-oscal-arTanium JSON resultsAssessment Results
cis-xlsx-to-oscal-catalogCIS benchmark XLSXCatalog
cis-xlsx-to-oscal-cdCIS benchmark XLSXComponent Definition
ocp4-cis-profile-to-oscal-catalogOCP4 CIS profile YAMLCatalog
ocp4-cis-profile-to-oscal-cdOCP4 CIS profile YAMLComponent Definition

From OSCAL

Task NameInput OSCAL TypeOutput Format
oscal-catalog-to-csvCatalogCSV
oscal-profile-to-osco-profileProfileOSCO YAML

Configuration Format

Tasks are configured in .trestle/config.ini using INI-style sections:

ini
[task.csv-to-oscal-cd]
title = My Component Definition
version = 1.0
csv-file = data/controls.csv
output-dir = component-definitions/my-component
output-overwrite = true

The section name follows the pattern [task.<task-name>].

Task-Specific Configuration

csv-to-oscal-cd

The most commonly used task. Converts a CSV file with control mappings into an OSCAL Component Definition.

Required keys:

  • title — Component definition title
  • version — Component definition version
  • csv-file — Path to the CSV file
  • output-dir — Output directory for the generated OSCAL JSON

Optional keys:

  • component-definition — Path to existing component-definition to merge with
  • class.column-name — Class to associate with a CSV column name
  • output-overwritetrue (default) or false
  • validate-controlson, warn, or off (default)

CSV Column Mapping: The CSV file should contain columns that map to OSCAL control implementation fields. The task reads column headers and maps them to the component definition structure. Common columns include: Rule_Id, Rule_Description, Component_Title, Control_Id_List, Parameter_Id, Parameter_Value.

xccdf-result-to-oscal-ar

Converts XCCDF scan results (e.g., from OpenSCAP) into OSCAL Assessment Results.

Required keys:

  • input-dir — Directory containing XCCDF result XML files
  • output-dir — Output directory

Optional keys:

  • checkingtrue/false (default: false)
  • output-overwritetrue/false (default: true)
  • quiettrue/false (default: false)
  • title — Title for the assessment results (default: "XCCDF")
  • description — Description (default: "XCCDF Scan Results")
  • type — Assessor type (default: "Validator")
  • timestamp — ISO 8601 timestamp override

tanium-result-to-oscal-ar

Converts Tanium compliance scan results into OSCAL Assessment Results.

Required keys:

  • input-dir — Directory containing Tanium result JSON files
  • output-dir — Output directory

Optional keys:

  • blocksize — Lines per CPU for parallel processing
  • cpus-max — Maximum CPUs (default: 1)
  • cpus-min — Minimum CPUs
  • aggregatetrue (default) or false
  • cachingtrue (default) or false
  • checkingtrue/false (default: false)
  • output-overwritetrue/false (default: true)
  • quiettrue/false (default: false)
  • timestamp — ISO 8601 timestamp override

oscal-catalog-to-csv

Exports an OSCAL Catalog to CSV format.

Required keys:

  • input-file — Path to the catalog JSON/YAML file
  • output-dir — Output directory

Optional keys:

  • output-name — CSV filename
  • output-overwritetrue/false (default: true)
  • levelcontrol or statement (default: statement)

cis-xlsx-to-oscal-cd

Converts CIS benchmark spreadsheets into OSCAL Component Definitions.

Required keys:

  • benchmark-file — Path to the CIS benchmark .xlsx file
  • benchmark-title — CIS benchmark title
  • benchmark-version — Benchmark version
  • component-name — Component name
  • component-description — Component description
  • component-type — Component type
  • namespace — Namespace for properties
  • output-dir — Output directory
  • profile-version — Profile version
  • profile-source — Profile source
  • profile-description — Profile description

Optional keys:

  • benchmark-control-prefix — Default: cisc-
  • benchmark-rule-prefix — Default: CIS-
  • benchmark-sheet-name — Default: Combined Profiles
  • output-overwritetrue/false (default: true)

Running Tasks

bash
# List available tasks
trestle task -l

# Show config requirements for a task
trestle task csv-to-oscal-cd -i

# Run a task (uses .trestle/config.ini by default)
trestle task csv-to-oscal-cd

# Run with a specific config file
trestle task csv-to-oscal-cd -c my-config.ini

Common Patterns

Import scan results for continuous monitoring

ini
[task.xccdf-result-to-oscal-ar]
input-dir = scan-results/latest
output-dir = assessment-results/latest-scan
output-overwrite = true
title = Weekly Compliance Scan
description = Automated XCCDF scan results

Build component definitions from spreadsheets

ini
[task.csv-to-oscal-cd]
title = Application Controls
version = 1.0
csv-file = data/app-controls.csv
output-dir = component-definitions/my-app
validate-controls = warn

Export catalog for review

ini
[task.oscal-catalog-to-csv]
input-file = catalogs/nist-800-53/catalog.json
output-dir = exports
output-name = nist-controls.csv
level = control

CSV Column Reference for csv-to-oscal-cd

The csv-to-oscal-cd task reads specific column headers from the CSV file to build the component definition. All column names are case-sensitive.

Column HeaderRequiredDescription
Rule_IdYesUnique identifier for the rule (e.g., rule-ac-1)
Rule_DescriptionYesHuman-readable description of what the rule checks
Component_TitleYesName of the component this rule belongs to
Component_TypeNoComponent type (default: Service). Valid: Software, Hardware, Service, Policy, Process, Plan, Guidance, Standard, Validation
Control_Id_ListYesOSCAL control IDs this rule maps to (comma-separated, e.g., ac-1,ac-2)
Parameter_IdNoParameter identifier for the rule
Parameter_DescriptionNoHuman-readable description of the parameter
Parameter_Value_AlternativesNoAllowed values for the parameter (comma-separated)
Profile_SourceNoProfile href (e.g., trestle://profiles/my-profile/profile.json)
Profile_DescriptionNoDescription of the profile being referenced
NamespaceNoNamespace for rule properties (e.g., https://my-org.com/ns/oscal)
Check_IdNoIdentifier for automated check (e.g., XCCDF check ID)
Check_DescriptionNoDescription of the automated check

Example CSV

csv
Rule_Id,Rule_Description,Component_Title,Component_Type,Control_Id_List,Parameter_Id,Parameter_Value_Alternatives,Profile_Source,Namespace
rule-ac-1,Ensure access control policy exists,My Application,Service,ac-1,,,trestle://profiles/nist-800-53/profile.json,https://my-org.com/ns/oscal
rule-ac-2-a,Validate account types are defined,My Application,Service,ac-2,,,,https://my-org.com/ns/oscal
rule-ac-2-timeout,Check session timeout,My Application,Service,ac-2,ac-2-timeout-param,"15,30,60",trestle://profiles/nist-800-53/profile.json,https://my-org.com/ns/oscal
rule-cm-1,Configuration management policy review,My Application,Service,cm-1,,,trestle://profiles/nist-800-53/profile.json,https://my-org.com/ns/oscal
rule-ia-2,MFA for privileged accounts,Identity Provider,Service,"ia-2,ia-2.1",,,trestle://profiles/nist-800-53/profile.json,https://my-org.com/ns/oscal

Note: When Control_Id_List contains multiple controls, wrap the value in quotes if it contains commas.

Testing Tasks Before Full Runs

Before running a task against production data:

  1. Check required configuration — use -i (info) to see what config keys are needed:

    bash
    trestle task csv-to-oscal-cd -i
    

    This prints all required and optional configuration keys with descriptions.

  2. Use a small test input — create a 3-5 row CSV or a minimal XML/JSON file to verify the mapping works before processing full datasets.

  3. Validate the output — after the task completes, run validation on the generated OSCAL:

    bash
    trestle validate -f <output-dir>/component-definition.json
    
  4. Import into workspace — only after validation passes, import the result:

    bash
    trestle import -f <output-dir>/component-definition.json -o my-component
    

Troubleshooting Task Failures

ErrorCauseFix
KeyError: 'csv-file'Missing required config key in .trestle/config.iniAdd the missing key to the [task.<name>] section. Run trestle task <name> -i to see all required keys
FileNotFoundError or File not foundInput file path doesn't exist. Relative paths resolve from the workspace rootUse absolute paths or verify the path relative to the directory containing .trestle/
No controls foundCSV column headers don't match expected names (case-sensitive)Check column names exactly match the reference table above (e.g., Rule_Id not rule_id)
Validation error in outputInput data references invalid control IDs or malformed UUIDsVerify control IDs exist in the target catalog/profile. Fix UUIDs with python -c "import uuid; print(uuid.uuid4())"
UnicodeDecodeErrorFile uses non-UTF-8 encoding (e.g., Windows Latin-1)Re-save the file as UTF-8. In Python: open(f, encoding='utf-8-sig') handles BOM
XML parse error (XCCDF tasks)Malformed or incomplete XCCDF XML fileValidate the XML with xmllint --noout <file>. Ensure the file is a complete XCCDF result, not a partial extract
JSON decode error (Tanium tasks)Malformed Tanium JSON output or truncated fileValidate JSON with python -m json.tool <file>. Check for truncation from export tools
configparser.NoSectionErrorTask section missing from config.iniEnsure the section header matches [task.<exact-task-name>]

Debugging tip: Run trestle with the --verbose flag for detailed logging:

bash
trestle -v task csv-to-oscal-cd

Dual Component Definition Pattern

The csv-to-oscal-cd task supports two distinct component types that together bridge compliance controls to automated assessment. This pattern originates from the COMPASS architecture for end-to-end compliance automation.

Service Component CSV (Control-to-Rule)

Service components declare which rules implement a regulation control for a specific product:

ColumnExample ValuePurpose
Rule_Idrule-ac-2-accountsUnique rule identifier
Rule_DescriptionManage account lifecycleWhat the rule checks
Component_TitleMy Cloud ServiceProduct or service name
Component_TypeServiceMarks this as a service component
Control_Id_Listac-2Regulation controls this rule implements
Parameter_Idtimeout-minutesConfigurable parameter for the rule

Owner: Product vendors and service providers.

Validation Component CSV (Rule-to-Check)

Validation components declare which PVP checks validate a rule:

ColumnExample ValuePurpose
Rule_Idrule-ac-2-accountsMust match a Service component rule
Rule_DescriptionManage account lifecycleSame rule, different perspective
Component_TitleAuditree PVPAssessment tool name
Component_TypeValidationMarks this as a validation component
Control_Id_Listac-2Same controls as the service rule
Check_Iddemo.checks.test_github.GitHubOrgs.test_membersPVP-specific check identifier
Check_DescriptionVerify org members existWhat the check validates

Owner: Assessment tool vendors, PVP providers, compliance engineers.

Example Validation CSV

csv
Rule_Id,Rule_Description,Component_Title,Component_Type,Control_Id_List,Check_Id,Check_Description,Profile_Source,Namespace
rule-ac-2-accounts,Manage account lifecycle,Auditree PVP,Validation,ac-2,demo.checks.test_github.GitHubOrgs.test_members_is_not_empty,Verify GitHub org members exist,trestle://profiles/nist-high/profile.json,https://my-org.com/ns
rule-ac-2-timeout,Enforce session timeout,Auditree PVP,Validation,ac-2,demo.checks.test_github.GitHubOrgs.test_timeout,Verify timeout is configured,trestle://profiles/nist-high/profile.json,https://my-org.com/ns
rule-sc-7-boundary,Protect network boundaries,Kyverno PVP,Validation,sc-7,kyverno.check-network-boundary,Verify boundary protection policies,trestle://profiles/nist-high/profile.json,https://my-org.com/ns

When to Use the Dual Pattern

Use the dual pattern when connecting OSCAL compliance artifacts to automated assessment:

  • Auditree: Check_Id = full Python module path of the check method
  • OCM/Kubernetes: Check_Id = policy resource directory name
  • XCCDF/OpenSCAP: Check_Id = XCCDF rule identifier
  • Custom tools: Check_Id = whatever identifier the tool uses to select checks

The Check_Id semantics depend on the PVP. Trestle stores it in the component definition; C2P (Compliance-to-Policy) interprets it when generating PVP-specific configuration.

For the full pipeline context, see the trestle-compliance-pipeline skill.

Cross-References

  • trestle-assessment: Using XCCDF/Tanium task output in the assessment-results workflow (import → split → edit → merge)
  • trestle-validation: Validating task output before importing into the workspace
  • trestle-control-implementation: Understanding the component-definition structure that csv-to-oscal-cd produces
  • trestle-compliance-pipeline: End-to-end pipeline, persona ownership, and C2P bridge