CIS Benchmark 2.0.0 update #155

Workflow file for this run

.github/workflows/verify-ec2.yml at b59f7c3

	---
	name: CIS AWS Foundations v2.0.0

	on:
	push:
	branches:
	- main
	pull_request:

	jobs:
	my-job:
	name: Validate my profile
	runs-on: ubuntu-latest
	env:
	CHEF_LICENSE: accept-silent
	CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
	RESULTS_FILE: inspec_results.json
	PROFILE_FILE: profile.json
	INPUT_FILE: default.inputs.yml
	THRESHOLD_FILE: default.threshold.yml
	HEIMDALL_URL: https://heimdall-demo.mitre.org
	steps:
	- name: add needed packages
	run: sudo apt-get install -y jq curl

	- name: Configure AWS credentials
	env:
	AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }}
	AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }}

	uses: aws-actions/configure-aws-credentials@v2
	with:
	aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
	aws-region: us-east-1

	- name: Check out repository
	uses: actions/checkout@v3

	- name: Clone full repository so we can push
	run: git fetch --prune --unshallow

	- name: Set short git commit SHA
	id: vars
	run: \|
	calculatedSha=$(git rev-parse --short ${{ github.sha }})
	echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV

	- name: Confirm git commit SHA output
	run: echo ${{ env.COMMIT_SHORT_SHA }}

	- name: Setup Ruby
	uses: ruby/setup-ruby@v1
	with:
	ruby-version: "3.1"

	- name: Disable ri and rdoc
	run: 'echo "gem: --no-document" >> ~/.gemrc'

	- name: Bundle Install
	run: bundle install

	- name: Installed Inspec
	run: bundle exec inspec version

	- name: Vendor the InSpec Profile
	run: bundle exec inspec vendor --overwrite

	- name: Lint the Inspec profile
	run: bundle exec inspec check .

	- name: Run the Profile
	run: \|
	bundle exec inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles \|\| true

	- name: Save Test Result JSON
	uses: actions/upload-artifact@v3
	with:
	name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
	path: \|
	./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}

	- name: Upload to Heimdall
	run: \|
	curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations"

	- name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary
	uses: mitre/saf_action@v1
	with:
	command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}"

	- name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold
	uses: mitre/saf_action@v1
	with:
	command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CIS Benchmark 2.0.0 update #155

Workflow file

CIS Benchmark 2.0.0 update #155

Jobs

Run details

Workflow file for this run