Skip to content

updated actions to run on master, added example action for update maj… #58

updated actions to run on master, added example action for update maj…

updated actions to run on master, added example action for update maj… #58

---
name: CIS AWS Foundations v2.0.0 - Other
on:
push:
branches:
- master
- main
pull_request:
jobs:
my-job:
name: Validate the CIS AWS Benchmark v2.0
runs-on: ubuntu-latest
env:
CHEF_LICENSE: accept-silent
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
RESULTS_FILE: other_inspec_results.json
PROFILE_FILE: profile.json
INPUT_FILE: other.inputs.yml
THRESHOLD_FILE: other.threshold.yml
AWS_REGION: ${{ secrets.OTHER_AWS_REGION }}
HEIMDALL_URL: https://heimdall-demo.mitre.org
steps:
- name: add needed packages
run: sudo apt-get install -y jq curl
- name: Configure AWS credentials
env:
AWS_REGION: ${{ secrets.OTHER_AWS_REGION }}
#AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }}
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.OTHER_AWS_ACCESS_KEY }}
aws-secret-access-key: ${{ secrets.OTHER_AWS_SECRET }}
aws-region: ${{ secrets.OTHER_AWS_REGION }}
audience: https://sts.${{ secrets.OTHER_AWS_REGION }}.amazonaws.com
- name: Check out repository
uses: actions/checkout@v3
- name: Clone full repository so we can push
run: git fetch --prune --unshallow
- name: Set short git commit SHA
id: vars
run: |
calculatedSha=$(git rev-parse --short ${{ github.sha }})
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
- name: Confirm git commit SHA output
run: echo ${{ env.COMMIT_SHORT_SHA }}
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "3.1"
- name: Disable ri and rdoc
run: 'echo "gem: --no-document" >> ~/.gemrc'
- name: Bundle Install
run: bundle install
- name: Installed Inspec
run: bundle exec inspec version
- name: Vendor the InSpec Profile
run: bundle exec inspec vendor --overwrite
- name: Lint the Inspec profile
run: bundle exec inspec check .
- name: Run the Profile
run: |
bundle exec inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true
- name: Save Test Result JSON
uses: actions/upload-artifact@v3
with:
name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
path: |
./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}
- name: Upload to Heimdall
run: |
curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations"
- name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary
uses: mitre/saf_action@v1
with:
command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}"
- name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold
uses: mitre/saf_action@v1
with:
command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}"