Using GitHub Actions and the OpenRMF Professional API for Automating Cyber Compliance

Dale Bingham
4 min readMar 4, 2024


You can use GitHub Actions to process new/changed files in a GitHub repository and automatically push them to OpenRMF Professional for tracking your cyber compliance. If you use GitHub for storing scan results for your ATO or accreditation package such as CKL, SCAP XML, or .Nessus you can easily enable automated ingest into OpenRMF Professional. Do the same for compliance statements, hardware, software, PPSM, mitigation statements and other lists to use for OpenRMF Professional with this simple workflow.

OpenRMF Professional and GitHub Actions for automation of cyber compliance

The Process

There are a few steps to make this work for you. But the hard work is done for you already in the workflow logic and setup. Use the workflow YML file here in one of our public GitHub (GH) repositories (repos) and go from there.

  • Create Your Repo
  • Setup your folder structure
  • Add your Secrets for the URL, system package, applicationKey and API Token
  • Add the workflow YML file here to your repo
  • Upload your files to a branch
  • Push to main and watch the files get uploaded
  • See the results in OpenRMF Professional
  • Use the results to see what you need to fix and get moving
  • Wash, rinse, repeat!

GitHub Repo Secrets

Most of the OpenRMF Professional APIs have this kind of structure below in the code callout box. The Root URL, System Key, Application Key and API Token are 4 items that are used over and over. So for this GH repo that is saved in secrets so as to not give that data out to everyone. And so the workflow YML file can be used over and over without hard coded edits.

4 secrets in your GH repo to use with the workflow YML file as it is coded

Once you have these 4 secrets setup, the uploadFiles.yml file can be used with your folder structure.

Folder Structure

The uploadFiles.yml linked above has a folder structure for different types of files that OpenRMF Professional can use for your system packages. Each folder is setup to store specific files and keep them separate. The folders are also referenced in the YML file to make sure the proper files go to the proper API calls.

If you change the folder structure, make sure to update the uploadFiles.yml file for your GH workflow accordingly.

  • checklist-files (*.ckl)
  • compliance-scans (*.xml, *.nessus, *.csv Tanium)
  • compliance-statements (*.xlsx, *.json, *.csv)
  • container-scans (left for the user to implement)
  • hardware (*.xlsx, *.json, *.csv)
  • mitigation-statements (*.xlsx, *.json, *.csv)
  • patch-scans (*.nessus, *.xml, *.json)
  • ppsm (*.xlsx, *.json, *.csv)
  • software (*.xlsx, *.json, *.csv)
  • software-scans (left for the user to implement)

Setting up the GitHub Actions Workflow

In the .github/workflows/ folder for your repository you can mimic a file like our workflow YML file (or copy ours )and set it up for push, pull, upload, etc. against the proper branches. Ours is setup to trigger on an approved pull request to the /main branch.

Adjust the folders and file types in the YML file as required based on your folder structure you setup above.

Running a Pull Request to push the files

Once you have files in whatever branch you are using (for us it is /develop), you can do a pull request to the /main branch (or whatever one you have setup for the workflow file). When approved all the actions kick into place.

GH Workflow steps for automating file ingest to OpenRMF Professional

Any updated/new file is grabbed per folder and saved. Then depending on the type, the URL is called to post the files using the 4 secrets referenced above. If all is setup correctly, you can notice your data being updated on the system package dashboard, compliance statement screen, mitigation statement screen and all other relevant places based on the data you collect in your GH repo.

System Package in OpenRMF Professional with all data coming from the GH action integration

Ways to Enhance and Next Steps

So what else can you do with this as a start? A few things come to mind to get your creative brainstorming juices flowing…

  • Have several branches to move your data along, and pushing to /main also in the end calls the API to generate your cyber compliance snapshot based on all the latest data
  • Have nested folders based on dates and adjust to only use the latest and organize by date/time/location
  • Use this uploadFiles.yml in a GH template for all repos and adjust for your system packages, URL, API and such
  • Call some documentation generation APIs from OpenRMF Professional (SSP, RAR, POAM, other lists) and store them locally in the repo with date/time for snapshots with all other data
  • Have a YML or JSON configuration file you read with other information to make the workflow even more dynamic

This is just to get you started with thinking about using data you already have in GitHub to further automate your cyber compliance with OpenRMF Professional. Only your imagination, skill, time, and other applications to integrate will limit you from creating what Gartner calls a Cyber Security Mesh Architecture.

If you have additional edits, ways to automate this, etc. please feel free to fork the GH Action repo and do a P/R to merge. Or enter issues or requests for other ideas as well! We are definitely all smarter collectively when we work at automating our cyber compliance for sure.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft