OpenSec Atlas

oscal-deep-diff: An Open Source Tool for Governance, Risk, and Compliance (GRC) | OpenSec Atlas

Governance, Risk, and Compliance (GRC)

Tool

oscal-deep-diff

OSCAL Deep Diff is a CLI and library tool that performs schema-agnostic, configurable deep comparisons of JSON-based OSCAL artifacts.

View on GitHub

About This Tool

Open Security Controls Assessment Language (OSCAL) Deep Differencing Tool

Primary Use Case

This tool is designed for compliance auditors, risk assessors, and security automation professionals who need to compare different versions or instances of OSCAL JSON documents to identify changes, inconsistencies, or updates. It helps organizations automate and streamline governance, risk, and compliance (GRC) workflows by providing detailed, customizable differencing of complex nested JSON data.

Key Features

Schema-agnostic deep comparison of JSON artifacts
Configurable comparison behavior including case sensitivity and ignored fields
Ability to match complex nested arrays of objects even if out of order
Tailored comparator configurations for OSCAL Catalogs and other OSCAL artifacts
CLI and library usage modes
Open public domain licensing
Support for JSON pointer-based configuration to control differencing behavior

Insights & Recommendations

Users should prepare a configuration YAML file specifying the paths to the JSON documents to compare and optionally customize comparator behavior to ignore or case-sensitize specific fields. The tool is optimized for OSCAL artifacts but can be used for other JSON documents with appropriate configuration. Matching behavior for nested arrays can be fine-tuned to ensure meaningful comparisons, especially for control objects in OSCAL Catalogs.

Installation

Install the CLI globally via npm: npm install -g @oscal/oscal-deep-diff

Usage

oscal-deep-diff --config config.yaml

Runs the deep diff tool using the specified YAML configuration file to compare two JSON documents and produce a diff output.

Smart Usage Notes

Integrate OSCAL Deep Diff into automated GRC pipelines to continuously detect drift in compliance posture.Use configurable differencing to tailor compliance audits for specific regulatory frameworks or internal policies.Leverage the tool’s schema-agnostic design to extend beyond OSCAL artifacts for other JSON-based security configurations.Combine with vulnerability scanning tools to correlate compliance deviations with technical vulnerabilities for prioritized remediation.Employ in purple team exercises to validate control implementation and identify gaps between policy and actual configurations.