OSCAL Artifacts
The oscal artifacts command group lists and downloads validated OSCAL export
artifacts — system security plans (SSP), assessment plans (SAP) and results
(SAR), POA&Ms, and component definitions — that the Pretorin platform generates
and validates for a system.
These are read-only over the public API: artifact generation stays on the platform (app surface). The CLI’s job is the consumer side — listing what exists and downloading the latest validated package, which is exactly what a CI/CD machine-readable export pipeline (e.g. the FedRAMP RFC-0024 flow) needs.
Not the same as
pretorin frameworks export-oscal. That command converts a unified framework catalog to/from OSCAL catalog format. This group manages generated, document-level export artifacts for a system.
Only artifacts with generation_state = succeeded and
validation_status = valid are returned — every listed artifact is downloadable
and has passed validation. Authentication uses an API token with READ scope.
List Artifacts
# All validated artifacts for the active system
pretorin oscal artifacts list
# Filter by type and framework
pretorin oscal artifacts list --type ssp
pretorin oscal artifacts list --type sar --framework fedramp-moderate
# Explicit system, paginated
pretorin oscal artifacts list --system "My System" --limit 100 --offset 0
| Option | Description |
|---|---|
--type / -t | Filter by type: ssp, sap, sar, poam, component_definition, bundle |
--framework / -f | Filter by framework ID |
--assessment / -a | Filter by assessment ID |
--system / -s | System name or ID (uses active context if unset) |
--limit / -l | Page size, 1–100 (default 50) |
--offset | Pagination offset |
Show Artifact Detail
pretorin oscal artifacts show <artifact_id>
Shows full metadata — oscal_version, generator_version, file size,
checksum_sha256 — plus the two-tier validation report (tier 1 model validation,
tier 2 metaschema validation).
Download an Artifact
pretorin oscal artifacts download <artifact_id>
pretorin oscal artifacts download <artifact_id> --output ssp.json
pretorin oscal artifacts download <artifact_id> --no-verify
| Option | Description |
|---|---|
--output / -o | Output file or directory (default: <type>.json, e.g. ssp.json) |
--verify / --no-verify | Verify SHA-256 against artifact metadata (default: on) |
--system / -s | System name or ID (uses active context if unset) |
The download fetches the canonical stored bytes from a presigned URL and verifies
their SHA-256 against the artifact’s checksum_sha256. On a checksum mismatch
the file is not written and the command exits non-zero. The presigned URL is
fetched without the platform API token, so your credentials never reach object
storage.
Get the Latest Validated Artifact
The CI/CD sugar: fetch the newest validated artifact of a given type in one call.
# Print the latest SSP's metadata
pretorin oscal artifacts latest --type ssp
# Download it (checksum-verified) to ssp.json
pretorin oscal artifacts latest --type ssp --download --output ssp.json
| Option | Description |
|---|---|
--type / -t | Artifact type (required) |
--download / -d | Download the latest artifact instead of just printing metadata |
--output / -o | Output path (with --download) |
--framework / -f | Filter by framework ID |
--assessment / -a | Filter by assessment ID |
--verify / --no-verify | Verify SHA-256 (with --download) |
If no validated artifact of the requested type exists, the command prints a clear message and exits non-zero — so a pipeline step fails loudly rather than silently shipping nothing.
CI/CD Export Example
Download the latest validated SSP as part of a machine-readable export pipeline. The non-zero exit on “no valid artifact” gates the build automatically:
# .github/workflows/oscal-export.yml
name: OSCAL Export
on:
workflow_dispatch:
schedule:
- cron: "0 6 * * 1" # weekly
jobs:
export:
runs-on: ubuntu-latest
env:
PRETORIN_API_KEY: ${{ secrets.PRETORIN_API_KEY }} # READ scope is sufficient
PRETORIN_SYSTEM_ID: ${{ vars.PRETORIN_SYSTEM_ID }}
steps:
- run: pipx install pretorin-cli
# Fails the job if no validated SSP exists yet.
- name: Download latest validated SSP
run: pretorin oscal artifacts latest --type ssp --download --output ssp.json
- name: Upload OSCAL package
uses: actions/upload-artifact@v4
with:
name: oscal-ssp
path: ssp.json
The downloaded JSON declares its own oscal_version (artifacts emit OSCAL 1.2.1,
trestle-validated), so downstream consumers always know exactly what they got.
See Also
- Framework Browsing — including
frameworks export-oscalfor catalog conversion - MCP Tool Reference —
list_oscal_artifacts/get_oscal_artifact