Skip to content
EC2 Testing Matrix

added inputs to allow indication of operational requirements document… #98

Sign in to view logs

added inputs to allow indication of operational requirements document…

added inputs to allow indication of operational requirements document… #98

Workflow file for this run

.github/workflows/verify-ec2.yml at d150eb0
name: EC2 Testing Matrix
on:
pull_request:
push:
branches:
- main
jobs:
validate:
name: Validate my profile
runs-on: ubuntu-latest
env:
CHEF_LICENSE: accept-silent
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
KITCHEN_LOCAL_YAML: kitchen.ec2.yml
SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }}
SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }}
PLATFORM: "rhel-9"
LC_ALL: "en_US.UTF-8"
strategy:
matrix:
suite: ["vanilla", "hardened"]
fail-fast: false
steps:
- name: add needed packages
run: |
sudo apt-get update
sudo apt-get -y install jq
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.SAF_AWS_REGION }}
- name: Check out repository
uses: actions/checkout@v4
- name: Clone full repository so we can push
run: git fetch --prune --unshallow
- name: Set short git commit SHA
id: vars
run: |
calculatedSha=$(git rev-parse --short ${{ github.sha }})
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
- name: Confirm git commit SHA output
run: echo ${{ env.COMMIT_SHORT_SHA }}
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "3.1"
- name: Disable ri and rdoc
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
- name: Run Bundle Install
run: bundle install
- name: Installed Inspec
run: bundle exec inspec version
- name: Vendor the Profile
run: bundle exec inspec vendor . --overwrite
- name: Run kitchen test
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
continue-on-error: true
run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }}
- name: Save our ${{ matrix.suite }} results summary
continue-on-error: true
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/saf_action@v1.5.2
with:
command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"
- name: Save Test Result JSON
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: actions/upload-artifact@v4
with:
name: ${{ env.PLATFORM }}_${{ matrix.suite }}.json
path: spec/results/
- name: Upload ${{ matrix.suite }} to Heimdall
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
continue-on-error: true
run: |
curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.PLATFORM }}_${{ matrix.suite }}-${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
- name: Display our ${{ matrix.suite }} results summary
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/saf_action@v1.5.2
with:
command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"
- name: Generate Markdown Summary
continue-on-error: true
id: generate-summary
run: |
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/saf_action@v1.5.2
with:
command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"