How CISA Built an AI-Powered Documentation Pipeline for Logging Made Easy
Hook
Most documentation gets outdated within months of writing. CISA built an AI agent that writes docs, builds containers, and submits pull requests—all from a single command.
Context
Government cybersecurity guidance has a documentation problem. CISA's Logging Made Easy (LME) project helps organizations implement centralized logging infrastructure, but the complexity of deployment guides, agent configurations, and integration tutorials creates a maintenance nightmare. Traditional documentation workflows require writers to manually update markdown files, rebuild sites locally, verify changes across different environments, and submit PRs—a process that takes hours and discourages frequent updates.
The cisagov/lme-docs repository tackles this friction head-on. Rather than simply hosting static documentation on Docusaurus, CISA's team built infrastructure that treats documentation as code with the same rigor as production systems. The result is a documentation pipeline with automated security scanning, containerized preview environments, and an experimental AI agent that handles the entire contribution workflow. It's an example of applying DevOps principles to technical writing—something government projects rarely prioritize but desperately need.
Technical Insight
The architecture starts with Docusaurus 3.x, but the interesting decisions happen in how content flows from creation to deployment. The site structure follows a clear hierarchy: installation guides, agent management, endpoint tools (Sysmon, Winlogbeat), integrations (Elastic, Wazuh), logging guidance, and maintenance procedures. Each section lives as markdown in the docs/ directory with automatic sidebar generation, while a separate blog/ directory handles announcements and updates.
What makes this compelling is the dual development workflow. For quick iterations, contributors run npm start, which spins up a development server with hot-reload at http://localhost:3000/lme-docs/. For production-accurate testing, they use the containerized workflow:
# Build the static site and serve via nginx
docker build -t lme-docs .
docker run -p 8080:80 lme-docs
# Access at http://localhost:8080/ (no /lme-docs/ prefix)
This matters because Docusaurus sites behave differently when served from subdirectories versus root paths. The docusaurus.config.js sets baseUrl: '/lme-docs/' for GitHub Pages deployment, but local previews need to match production behavior exactly. The nginx configuration in the Dockerfile handles this routing, ensuring what contributors see locally matches what users experience in production.
The security posture is unusually robust for a documentation site. The CI/CD pipeline runs three layers of scanning on every commit: npm audit for Node.js dependencies, OSV-Scanner against both the source code and built container images, and all GitHub Actions are pinned to full commit SHAs rather than version tags:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380adc78 # v4.1.6
This SHA pinning prevents supply chain attacks where a compromised action could inject malicious code into the documentation build process—critical for a CISA project that serves as trusted security guidance.
The most experimental component is the document-lme AI agent skill located in skills/document-lme/. This isn't just a wrapper around an LLM; it's a complete workflow automation that handles file operations, git operations, container builds, and PR creation. The agent expects three inputs: the topic to document, the target filename, and content structure requirements. It then:
- Generates markdown content based on existing LME documentation patterns
- Writes the file to the appropriate
docs/subdirectory - Builds a preview container with the new content
- Runs the container so reviewers can verify visual output
- Commits changes and pushes a branch
- Opens a pull request with the container command in the description
The skill requires podman or docker plus the GitHub CLI (gh) to be available. Contributors install it by copying the skill directory to their agent's skill path and configuring environment variables. The workflow looks like:
# Agent command (varies by agent framework)
agent: document the Sysmon configuration process in docs/endpoint/sysmon-config.md
# The skill handles all these steps automatically:
# - Generates markdown with proper frontmatter
# - Updates docusaurus.config.js if needed
# - Builds: docker build -t lme-docs-preview .
# - Runs: docker run -p 8080:80 lme-docs-preview
# - Commits and opens PR with preview instructions
This approach shifts documentation work from "writer opens editor, manually builds, submits PR" to "writer describes what's needed, agent handles implementation details." The container preview step is crucial—it catches rendering issues, broken links, and navigation problems before code review, reducing the feedback loop from days to minutes.
The deployment pipeline publishes to two targets simultaneously: GitHub Pages for the public documentation site and GitHub Container Registry for the Docker image. This dual-publishing strategy means teams can either browse docs on the web or pull the entire documentation site as a container for air-gapped environments—common in government and defense scenarios where internet access is restricted.
Gotcha
The AI agent skill sounds impressive but comes with significant friction. It requires manual installation into agent-specific skill directories, assumes you're running a compatible AI agent framework (the code doesn't specify which ones work), and needs both container runtime and GitHub CLI configured with proper authentication. There's no fallback UI or simplified mode—if any dependency is missing, the skill simply fails. For occasional contributors or non-technical reviewers, this setup cost exceeds the benefit. You're better off editing markdown files directly and using the standard Docker commands.
The repository's community engagement is nearly nonzero: four stars, no topics configured, and the documentation is tightly coupled to the LME project itself. This isn't a reusable framework or template you can fork for your own documentation needs. The sidebar structure, page organization, and content all assume you're working on CISA's Logging Made Easy project specifically. If you're hoping to learn Docusaurus patterns or extract the security scanning setup for your own projects, you'll spend significant time removing LME-specific configurations. The value here is in the ideas (AI-assisted docs, containerized previews, SHA-pinned actions) rather than the code as a reusable artifact.
Verdict
Use if: You're contributing to CISA's Logging Made Easy project and need to update deployment guides, integration tutorials, or maintenance procedures. The containerized preview workflow alone justifies adoption—it catches rendering bugs before reviewers waste time on broken navigation. The AI agent skill is worth experimenting with if you're already running an agent framework and handle frequent documentation updates. Also use this as a reference implementation if you're building government-grade documentation infrastructure and need examples of security scanning, SHA-pinned workflows, and air-gapped deployment strategies. Skip if: You're searching for a general-purpose Docusaurus template or reusable documentation framework. This repo is purpose-built for LME and requires substantial modification for other projects. Also skip if you want community-validated tooling—the low engagement suggests this hasn't been battle-tested outside CISA's immediate team. For learning Docusaurus, start with the official examples. For AI-assisted documentation, wait for more mature tooling that doesn't require manual agent framework integration. This is a specialized tool for a specialized audience, not a broadly applicable solution.
