-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: wdower <will@dower.dev>
- Loading branch information
Showing
4 changed files
with
399 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
name: Lint & Check the Profile | ||
|
||
on: | ||
push: | ||
branches-ignore: | ||
- none | ||
pull_request: | ||
|
||
jobs: | ||
validate: | ||
name: Lint | ||
runs-on: ubuntu-latest | ||
env: | ||
CHEF_LICENSE: accept-silent | ||
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | ||
KITCHEN_LOCAL_YAML: kitchen.ec2.yml | ||
LC_ALL: "en_US.UTF-8" | ||
steps: | ||
- name: add needed packages | ||
run: sudo apt-get install -y jq | ||
|
||
- name: Check out repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Clone full repository so we can push | ||
run: git fetch --prune --unshallow | ||
|
||
- name: Set short git commit SHA | ||
id: vars | ||
run: | | ||
calculatedSha=$(git rev-parse --short ${{ github.sha }}) | ||
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | ||
- name: Confirm git commit SHA output | ||
run: echo ${{ env.COMMIT_SHORT_SHA }} | ||
|
||
- name: Get commit message | ||
id: commit | ||
run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})" | ||
|
||
- name: Setup Ruby | ||
uses: ruby/setup-ruby@v1 | ||
with: | ||
ruby-version: "3.1" | ||
|
||
- name: Disable ri and rdoc | ||
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' | ||
|
||
- name: Run Bundle Install | ||
run: bundle install | ||
|
||
- name: Installed Inspec | ||
run: bundle exec inspec version | ||
|
||
- name: Vendor the Profile | ||
run: bundle exec inspec vendor . --overwrite | ||
|
||
- name: Check the Inspec profile | ||
run: bundle exec rake inspec:check | ||
|
||
- name: Lint the Profile | ||
run: bundle exec rake lint |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
name: UBI9 Testing Matrix | ||
|
||
on: | ||
push: | ||
branches-ignore: | ||
- none | ||
pull_request: | ||
|
||
jobs: | ||
validate: | ||
name: Validate my profile | ||
runs-on: ubuntu-latest | ||
env: | ||
CHEF_LICENSE: accept-silent | ||
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | ||
KITCHEN_LOCAL_YAML: kitchen.container.yml | ||
LC_ALL: "en_US.UTF-8" | ||
PLATFORM: 'ubi9' | ||
HARDENED_CONTAINER_IMAGE: "registry1.dso.mil/ironbank/redhat/ubi/ubi9" | ||
VANILLA_CONTAINER_IMAGE: "registry.access.redhat.com/ubi9/ubi:9.3-1610" | ||
strategy: | ||
matrix: | ||
suite: ["vanilla", "hardened"] | ||
fail-fast: false | ||
steps: | ||
- name: add needed packages | ||
run: sudo apt-get install -y jq | ||
|
||
- name: Login to Docker Hub | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ${{ secrets.DOCKERHUB_REGISTRY }} | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- name: Check out repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Clone full repository so we can push | ||
run: git fetch --prune --unshallow | ||
|
||
- name: Set short git commit SHA | ||
id: vars | ||
run: | | ||
calculatedSha=$(git rev-parse --short ${{ github.sha }}) | ||
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | ||
- name: Confirm git commit SHA output | ||
run: echo ${{ env.COMMIT_SHORT_SHA }} | ||
|
||
- name: Get commit message | ||
id: commit | ||
run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})" | ||
|
||
- name: Setup Ruby | ||
uses: ruby/setup-ruby@v1 | ||
with: | ||
ruby-version: "3.1" | ||
|
||
- name: Disable ri and rdoc | ||
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' | ||
|
||
- name: Run Bundle Install | ||
run: bundle install | ||
|
||
- name: Installed Inspec | ||
run: bundle exec inspec version | ||
|
||
- name: Vendor the Profile | ||
run: bundle exec inspec vendor . --overwrite | ||
|
||
- name: Run kitchen test | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
continue-on-error: true | ||
run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }} | ||
|
||
- name: Create our ${{ matrix.suite }} results summary | ||
continue-on-error: true | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: mitre/saf_action@v1.5.2 | ||
with: | ||
command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" | ||
|
||
- name: Save Test Result JSON | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results | ||
path: spec/results/ | ||
|
||
- name: Upload ${{ matrix.suite }} to Heimdall | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
continue-on-error: true | ||
run: | | ||
curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" | ||
- name: Display our ${{ matrix.suite }} results summary | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: mitre/saf_action@v1.5.2 | ||
with: | ||
command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" | ||
|
||
- name: Generate Markdown Summary | ||
continue-on-error: true | ||
id: generate-summary | ||
run: | | ||
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md | ||
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY | ||
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: mitre/saf_action@v1.5.2 | ||
with: | ||
command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
name: DISA Hardened EC2 Testing Matrix | ||
|
||
on: | ||
push: | ||
branches-ignore: | ||
- none | ||
pull_request: | ||
|
||
jobs: | ||
validate: | ||
name: Validate my profile | ||
runs-on: ubuntu-latest | ||
env: | ||
CHEF_LICENSE: accept-silent | ||
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | ||
KITCHEN_LOCAL_YAML: kitchen.disa.ec2.yml | ||
PLATFORM: 'rhel-9' | ||
LC_ALL: "en_US.UTF-8" | ||
strategy: | ||
matrix: | ||
suite: ["disa-hardened"] | ||
fail-fast: false | ||
steps: | ||
- name: add needed packages | ||
run: sudo apt-get install -y jq | ||
|
||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
with: | ||
aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} | ||
aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} | ||
aws-region: ${{ secrets.SAF_AWS_REGION }} | ||
|
||
- name: Check out repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Clone full repository so we can push | ||
run: git fetch --prune --unshallow | ||
|
||
- name: Set short git commit SHA | ||
id: vars | ||
run: | | ||
calculatedSha=$(git rev-parse --short ${{ github.sha }}) | ||
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | ||
- name: Confirm git commit SHA output | ||
run: echo ${{ env.COMMIT_SHORT_SHA }} | ||
|
||
- name: Get commit message | ||
id: commit | ||
run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})" | ||
|
||
- name: Setup Ruby | ||
uses: ruby/setup-ruby@v1 | ||
with: | ||
ruby-version: "3.1" | ||
|
||
- name: Disable ri and rdoc | ||
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' | ||
|
||
- name: Run Bundle Install | ||
run: bundle install | ||
|
||
- name: Installed Inspec | ||
run: bundle exec inspec version | ||
|
||
- name: Vendor the Profile | ||
run: bundle exec inspec vendor . --overwrite | ||
|
||
- name: Run kitchen test | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
continue-on-error: true | ||
run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }} | ||
|
||
- name: Create our ${{ matrix.suite }} results summary | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: mitre/saf_action@v1.5.2 | ||
with: | ||
command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" | ||
|
||
- name: Save Test Result JSON | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results | ||
path: spec/results/ | ||
|
||
- name: Upload ${{ matrix.suite }} to Heimdall | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
continue-on-error: true | ||
run: | | ||
curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" | ||
- name: Display our ${{ matrix.suite }} results summary | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: mitre/saf_action@v1.5.2 | ||
with: | ||
command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" | ||
|
||
- name: Generate Markdown Summary | ||
continue-on-error: true | ||
id: generate-summary | ||
run: | | ||
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md | ||
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY | ||
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold | ||
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | ||
uses: mitre/saf_action@v1.5.2 | ||
with: | ||
command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" |
Oops, something went wrong.