adding github workflows for testing

Signed-off-by: wdower <will@dower.dev>
mitre · Mar 15, 2024 · 5161f66 · 5161f66
1 parent 6cb1b9a
commit 5161f66
Show file tree

Hide file tree

Showing 4 changed files with 399 additions and 0 deletions.
diff --git a/.github/workflows/lint-profile.yml b/.github/workflows/lint-profile.yml
@@ -0,0 +1,62 @@
+name: Lint & Check the Profile
+
+on:
+  push:
+    branches-ignore:
+      - none
+  pull_request:
+
+jobs:
+  validate:
+    name: Lint
+    runs-on: ubuntu-latest
+    env:
+      CHEF_LICENSE: accept-silent
+      CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
+      KITCHEN_LOCAL_YAML: kitchen.ec2.yml
+      LC_ALL: "en_US.UTF-8"
+    steps:
+      - name: add needed packages
+        run: sudo apt-get install -y jq
+
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Clone full repository so we can push
+        run: git fetch --prune --unshallow
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Confirm git commit SHA output
+        run: echo ${{ env.COMMIT_SHORT_SHA }}
+
+      - name: Get commit message
+        id: commit
+        run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.1"
+
+      - name: Disable ri and rdoc
+        run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
+
+      - name: Run Bundle Install
+        run: bundle install
+
+      - name: Installed Inspec
+        run: bundle exec inspec version
+
+      - name: Vendor the Profile
+        run: bundle exec inspec vendor . --overwrite
+
+      - name: Check the Inspec profile
+        run: bundle exec rake inspec:check
+
+      - name: Lint the Profile
+        run: bundle exec rake lint
diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml
@@ -0,0 +1,114 @@
+name: UBI9 Testing Matrix
+
+on:
+  push:
+    branches-ignore:
+      - none
+  pull_request:
+
+jobs:
+  validate:
+    name: Validate my profile
+    runs-on: ubuntu-latest
+    env:
+      CHEF_LICENSE: accept-silent
+      CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
+      KITCHEN_LOCAL_YAML: kitchen.container.yml
+      LC_ALL: "en_US.UTF-8"
+      PLATFORM: 'ubi9'
+      HARDENED_CONTAINER_IMAGE: "registry1.dso.mil/ironbank/redhat/ubi/ubi9"
+      VANILLA_CONTAINER_IMAGE: "registry.access.redhat.com/ubi9/ubi:9.3-1610"
+    strategy:
+      matrix:
+        suite: ["vanilla", "hardened"]
+      fail-fast: false
+    steps:
+      - name: add needed packages
+        run: sudo apt-get install -y jq
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.DOCKERHUB_REGISTRY }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Clone full repository so we can push
+        run: git fetch --prune --unshallow
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Confirm git commit SHA output
+        run: echo ${{ env.COMMIT_SHORT_SHA }}
+
+      - name: Get commit message
+        id: commit
+        run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.1"
+
+      - name: Disable ri and rdoc
+        run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
+
+      - name: Run Bundle Install
+        run: bundle install
+
+      - name: Installed Inspec
+        run: bundle exec inspec version
+
+      - name: Vendor the Profile
+        run: bundle exec inspec vendor . --overwrite
+
+      - name: Run kitchen test
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        continue-on-error: true
+        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }}
+
+      - name: Create our ${{ matrix.suite }} results summary
+        continue-on-error: true
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: mitre/saf_action@v1.5.2
+        with:
+          command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"
+
+      - name: Save Test Result JSON
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          path: spec/results/
+
+      - name: Upload ${{ matrix.suite }} to Heimdall
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        continue-on-error: true
+        run: |
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+
+      - name: Display our ${{ matrix.suite }} results summary
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: mitre/saf_action@v1.5.2
+        with:
+          command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"
+
+      - name: Generate Markdown Summary
+        continue-on-error: true
+        id: generate-summary
+        run: |
+          cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md
+          cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY
+
+      - name: Ensure the scan meets our ${{ matrix.suite }} results threshold ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: mitre/saf_action@v1.5.2
+        with:
+          command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml"
diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml
@@ -0,0 +1,111 @@
+name: DISA Hardened EC2 Testing Matrix
+
+on:
+  push:
+    branches-ignore:
+      - none
+  pull_request:
+
+jobs:
+  validate:
+    name: Validate my profile
+    runs-on: ubuntu-latest
+    env:
+      CHEF_LICENSE: accept-silent
+      CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
+      KITCHEN_LOCAL_YAML: kitchen.disa.ec2.yml
+      PLATFORM: 'rhel-9'
+      LC_ALL: "en_US.UTF-8"
+    strategy:
+      matrix:
+        suite: ["disa-hardened"]
+      fail-fast: false
+    steps:
+      - name: add needed packages
+        run: sudo apt-get install -y jq
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.SAF_AWS_REGION }}
+
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Clone full repository so we can push
+        run: git fetch --prune --unshallow
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Confirm git commit SHA output
+        run: echo ${{ env.COMMIT_SHORT_SHA }}
+
+      - name: Get commit message
+        id: commit
+        run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.1"
+
+      - name: Disable ri and rdoc
+        run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
+
+      - name: Run Bundle Install
+        run: bundle install
+
+      - name: Installed Inspec
+        run: bundle exec inspec version
+
+      - name: Vendor the Profile
+        run: bundle exec inspec vendor . --overwrite
+
+      - name: Run kitchen test
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        continue-on-error: true
+        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }}
+
+      - name: Create our ${{ matrix.suite }} results summary
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: mitre/saf_action@v1.5.2
+        with:
+          command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"
+
+      - name: Save Test Result JSON
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          path: spec/results/
+
+      - name: Upload ${{ matrix.suite }} to Heimdall
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        continue-on-error: true
+        run: |
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+
+      - name: Display our ${{ matrix.suite }} results summary
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: mitre/saf_action@v1.5.2
+        with:
+          command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"
+
+      - name: Generate Markdown Summary
+        continue-on-error: true
+        id: generate-summary
+        run: |
+          cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md
+          cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY
+
+      - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
+        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
+        uses: mitre/saf_action@v1.5.2
+        with:
+          command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"