Trestle Validation and Troubleshooting
Validation Commands
Validate All Models
bash
trestle validate -a
Validates every OSCAL model in the workspace.
Validate by Type
bash
trestle validate -t catalog -n my-catalog trestle validate -t profile -n my-profile trestle validate -t component-definition -n my-compdef trestle validate -t system-security-plan -n my-ssp trestle validate -t assessment-plan -n my-assessment trestle validate -t assessment-results -n my-results trestle validate -t plan-of-action-and-milestones -n my-poam
Validate Specific File
bash
trestle validate -f catalogs/my-catalog/catalog.json
Common Validation Errors
Schema Validation Errors
| Error | Cause | Fix |
|---|---|---|
Additional properties not allowed | Extra fields in JSON not in OSCAL schema | Remove the unexpected field |
required property 'uuid' missing | Missing required UUID field | Add a valid UUID (python -c "import uuid; print(uuid.uuid4())") |
is not of type 'string' | Wrong data type for a field | Check the OSCAL schema for expected type |
does not match pattern | Value doesn't match expected regex | Check format requirements (e.g., UUID, date-time) |
Workspace Structure Errors
| Error | Cause | Fix |
|---|---|---|
Not in a trestle workspace | No .trestle/ directory found | Run trestle init or navigate to workspace root |
Model not found | Model directory or file doesn't exist | Check spelling, ensure model was imported |
Duplicate model names | Two models share the same name | Rename one of the conflicting models |
Authoring Errors (Generate/Assemble)
| Error | Cause | Fix |
|---|---|---|
Markdown directory not found | Generated markdown directory missing | Run trestle author *-generate first |
YAML header parse error | Invalid YAML in markdown frontmatter | Fix YAML syntax in the control markdown file |
Unexpected markdown structure | Manual edits broke expected format | Regenerate markdown and reapply changes |
Parameter not found | Reference to non-existent parameter ID | Check parameter IDs in catalog/profile |
Import Errors
| Error | Cause | Fix |
|---|---|---|
Invalid OSCAL model | Source file isn't valid OSCAL | Validate the source file against OSCAL schema |
Model type mismatch | File content doesn't match -t flag | Verify the model type or omit -t for auto-detection |
File format not supported | Unsupported file extension | Use .json or .yaml/.yml |
Troubleshooting Guide
Step 1: Check Workspace Health
bash
# Verify workspace ls -la .trestle/ # Check config cat .trestle/config.ini # List all models ls catalogs/ profiles/ component-definitions/ system-security-plans/ 2>/dev/null
Step 2: Run Full Validation
bash
trestle validate -a 2>&1
Step 3: Check Individual Models
For each model that fails validation:
bash
# Validate specific model with verbose output
trestle validate -t <type> -n <name>
# Check the model file directly
python -c "import json; json.load(open('<path>/model.json'))"
Step 4: Common Fixes
Fix Invalid UUIDs
python
import uuid print(str(uuid.uuid4()))
Replace any malformed or missing UUIDs with fresh ones.
Fix YAML Header Issues in Markdown
Common YAML problems in control markdown:
- •Missing quotes around values with special characters
- •Incorrect indentation (YAML requires consistent spaces, not tabs)
- •Missing
---delimiters around frontmatter
Fix Broken Import References
Profiles reference catalogs by href. Check:
json
"imports": [
{ "href": "trestle://catalogs/nist-800-53/catalog.json" }
]
The referenced catalog must exist at that path in the workspace.
Fix Assembly Failures
If assemble fails after markdown edits:
- •Check the YAML header hasn't been corrupted
- •Verify no structural markdown elements were deleted (headers, dividers)
- •Try regenerating and re-applying changes:
Then diff the fresh output against your edited version.bash
trestle author ssp-generate --name <ssp> --output <md_dir>-fresh
Step 5: Reset and Recover
If a model is badly corrupted:
- •Check if
dist/has a previously assembled good copy - •Re-import from the original source
- •Use git history to recover previous versions
Validation Best Practices
- •Validate after every change: Run
trestle validateafter imports, edits, and assemblies - •Validate before committing: Add validation to your pre-commit workflow
- •Use CI/CD validation: Run
trestle validate -ain pipelines - •Keep backups: Assemble to
dist/regularly as validated snapshots - •Version control: Use git to track all changes to OSCAL models
- •One format per directory: Don't mix JSON and YAML in the same model directory
Error Message Reference
Trestle validation errors follow this pattern:
code
ERROR: [model_type] [model_name]: [error_description]
When reporting issues:
- •Include the full error message
- •Note which command triggered the error
- •Provide the trestle version (
trestle version) - •Include the Python version (
python --version)
What Each Validator Checks
Trestle includes several specialized validators that go beyond basic schema validation:
| Validator | What It Checks | What It Misses | When to Use |
|---|---|---|---|
duplicates | Duplicate UUIDs within a single model | Cross-model UUID collisions | After manual UUID edits or model merges |
refs | Internal UUID cross-references resolve (e.g., a finding's related-observations points to a real observation UUID) | References to external models | After editing assessment-results or POA&M files with UUID references |
links | href values point to files and resources that exist | Whether the linked content is valid OSCAL | After restructuring workspace directories or renaming files |
catalog | Catalog-specific structure: valid groups, controls, parameters, and back-matter | Semantic correctness of control text | After importing or manually editing catalogs |
rules | Component-definition rule consistency: rule IDs, parameter references, and control mappings | Whether rules are actually testable | After csv-to-oscal-cd or manual component-definition edits |
Run specific validators with:
bash
trestle validate -t <model-type> -n <model-name>
All validators run automatically as part of trestle validate -a.
Validating Split Files
After using trestle split, individual fragment files are not standalone valid OSCAL documents. Validation must follow the correct workflow:
- •
Never validate mid-split — a split model's root file references child files via the trestle split convention. The individual pieces won't pass schema validation on their own.
- •
Always merge before validating:
bashtrestle merge -e catalog.* # merge all split parts back trestle validate -t catalog -n my-catalog
- •
Partial sanity check — while you shouldn't schema-validate split files, you can verify they are valid JSON:
bashpython -c "import json, pathlib; [json.loads(p.read_text()) for p in pathlib.Path('.').rglob('*.json')]" - •
Pattern: The correct workflow is always split → edit → merge → validate. Never skip the merge step before validation.
CI/CD Validation Patterns
GitHub Actions Workflow
yaml
name: OSCAL Validation
on:
pull_request:
paths:
- 'catalogs/**'
- 'profiles/**'
- 'component-definitions/**'
- 'system-security-plans/**'
- 'assessment-results/**'
- 'plan-of-action-and-milestones/**'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install trestle
run: pip install compliance-trestle
- name: Initialize trestle workspace
run: |
cd ${{ github.workspace }}
trestle init --govdocs
- name: Validate all OSCAL models
run: |
trestle validate -a 2>&1 | tee validation-report.txt
if grep -q "ERROR" validation-report.txt; then
echo "::error::OSCAL validation failed"
exit 1
fi
- name: Validate governed docs
run: trestle author docs validate -tn policies -hv
- name: Upload validation report
if: always()
uses: actions/upload-artifact@v4
with:
name: validation-report
path: validation-report.txt
Pre-commit Hook
yaml
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: trestle-validate
name: Validate OSCAL models
entry: bash -c 'trestle validate -a'
language: system
pass_filenames: false
files: '\.(json|yaml|yml)$'
Tip: For faster feedback during development, validate only the model you changed:
bash
trestle validate -t system-security-plan -n my-ssp
Reserve trestle validate -a for CI/CD pipelines.
Validation After Assessment and POA&M Edits
Assessment results and POA&M documents use JSON-based workflows (split/merge rather than generate/assemble). Validation is critical after every merge because these models have dense UUID cross-references.
Common Assessment Validation Issues
| Issue | Cause | Fix |
|---|---|---|
Missing import-ap href | Assessment results must reference an assessment plan | Set import-ap.href to a valid path (e.g., trestle://assessment-plans/my-plan/assessment-plan.json) |
Findings without target.status | Every finding needs a determination status | Add target.status.state with value satisfied or not-satisfied |
| Orphaned observation UUIDs | A finding references an observation that was deleted | Update the finding's related-observations list or restore the observation |
Common POA&M Validation Issues
| Issue | Cause | Fix |
|---|---|---|
| Broken observation UUID references | POA&M item references a non-existent observation | Check poam-items[].related-observations UUIDs match actual observations |
| Broken risk UUID references | POA&M item references a non-existent risk | Check poam-items[].related-risks UUIDs match actual risks in the model |
Missing import-ssp href | POA&M must reference its parent SSP | Set import-ssp.href to the SSP path |
Tip: Always validate with the specific type for faster feedback:
bash
trestle validate -t assessment-results -n my-results trestle validate -t plan-of-action-and-milestones -n my-poam
Cross-References
- •trestle-authoring-workflow: The generate → assemble cycle where validation catches structural errors before they propagate
- •trestle-assessment: JSON-based assessment-results workflow where
refsvalidation is essential - •trestle-poam: JSON-based POA&M workflow with dense UUID cross-references requiring
refsandduplicatesvalidation - •trestle-governance: Combining OSCAL schema validation with document structure validation for complete coverage