updated actions to run on master, added example action for update maj… #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CIS AWS Foundations v2.0.0 - Other | |
on: | |
push: | |
branches: | |
- master | |
- main | |
pull_request: | |
jobs: | |
my-job: | |
name: Validate the CIS AWS Benchmark v2.0 | |
runs-on: ubuntu-latest | |
env: | |
CHEF_LICENSE: accept-silent | |
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | |
RESULTS_FILE: other_inspec_results.json | |
PROFILE_FILE: profile.json | |
INPUT_FILE: other.inputs.yml | |
THRESHOLD_FILE: other.threshold.yml | |
AWS_REGION: ${{ secrets.OTHER_AWS_REGION }} | |
HEIMDALL_URL: https://heimdall-demo.mitre.org | |
steps: | |
- name: add needed packages | |
run: sudo apt-get install -y jq curl | |
- name: Configure AWS credentials | |
env: | |
AWS_REGION: ${{ secrets.OTHER_AWS_REGION }} | |
#AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }} | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.OTHER_AWS_ACCESS_KEY }} | |
aws-secret-access-key: ${{ secrets.OTHER_AWS_SECRET }} | |
aws-region: ${{ secrets.OTHER_AWS_REGION }} | |
audience: https://sts.${{ secrets.OTHER_AWS_REGION }}.amazonaws.com | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
- name: Clone full repository so we can push | |
run: git fetch --prune --unshallow | |
- name: Set short git commit SHA | |
id: vars | |
run: | | |
calculatedSha=$(git rev-parse --short ${{ github.sha }}) | |
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | |
- name: Confirm git commit SHA output | |
run: echo ${{ env.COMMIT_SHORT_SHA }} | |
- name: Setup Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: "3.1" | |
- name: Disable ri and rdoc | |
run: 'echo "gem: --no-document" >> ~/.gemrc' | |
- name: Bundle Install | |
run: bundle install | |
- name: Installed Inspec | |
run: bundle exec inspec version | |
- name: Vendor the InSpec Profile | |
run: bundle exec inspec vendor --overwrite | |
- name: Lint the Inspec profile | |
run: bundle exec inspec check . | |
- name: Run the Profile | |
run: | | |
bundle exec inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true | |
- name: Save Test Result JSON | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results | |
path: | | |
./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} | |
- name: Upload to Heimdall | |
run: | | |
curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations" | |
- name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary | |
uses: mitre/saf_action@v1 | |
with: | |
command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}" | |
- name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold | |
uses: mitre/saf_action@v1 | |
with: | |
command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}" | |