Skip to content

Commit

Permalink
⭐ Use cnspec container image (#40)
Browse files Browse the repository at this point in the history 
*  ⭐ Use container image

Signed-off-by: Christian Zunker <[email protected]>
  • Loading branch information
@czunker
czunker authored Nov 16, 2022
1 parent 276086b commit 3b6da9c
Show file tree
Hide file tree
Showing 30 changed files with 317 additions and 460 deletions.
9 changes: 8 additions & 1 deletion .github/workflows/docker-image.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,12 @@ jobs:
- name: Scan Docker Image
uses: ./docker-image
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
image: ${{env.APP}}:${{env.VERSION}}
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
- name: Scan Docker Image
uses: ./docker-image
with:
image: ${{env.APP}}:${{env.VERSION}}
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
30 changes: 30 additions & 0 deletions .github/workflows/general-action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: General Mondoo action
on:
pull_request:
push:
paths:
- "action.yaml"
- ".github/test_files/**"
branches:
- "main"
tags: ["v*.*.*"]

jobs:
general-action-test:
runs-on: ubuntu-latest
name: Test general Mondoo action
steps:
- uses: actions/checkout@v3

- name: Show status
uses: ./
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
args: status
- name: Show version
uses: ./
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
args: version
3 changes: 2 additions & 1 deletion .github/workflows/k8s-manifest.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ jobs:

- name: Scan k8s manifest
uses: ./k8s-manifest
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: ./.github/test_files/k8s-manifest.yaml
3 changes: 2 additions & 1 deletion .github/workflows/terraform-hcl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ jobs:
- uses: actions/checkout@v3
- name: Scan Terraform HCL
uses: ./terraform-hcl
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: ./.github/test_files/tf
4 changes: 2 additions & 2 deletions .github/workflows/terraform-plan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
path: .github/test_files/tfplan/plan.json
- name: Scan Terraform Plan
uses: ./terraform-plan
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: ".github/test_files/tfplan/plan.json"
args: "--policy-bundle .github/test_files/tfplan/policy/policy.mql.yaml"
4 changes: 2 additions & 2 deletions .github/workflows/terraform-state.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
.github/test_files/tfstate/state.json
- name: Scan Terraform State
uses: ./terraform-state
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: ".github/test_files/tfstate/state.json"
args: "--policy-bundle .github/test_files/tfstate/policy/policy.mql.yaml"
12 changes: 7 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ A set of GitHub Action for using Mondoo to check for vulnerabilities and misconf
- [Kubernetes](k8s) - Scan Kubernetes Clusters post-deploy for continuous auditing and compliance of the cluster.
- [Kubernetes Manifest](k8s-manifest) - Scan Kubernetes manifests for misconfigurations before applying changes to the cluster.
- [Policy](policy) - Publish Mondoo policies to Mondoo Platform using GitHub Actions.
- [Setup](setup) - Install and configure Mondoo into any existing GitHub Action workflow.
- [Terraform HCL](terraform-hcl) - Scan HashiCorp Terraform HCL code for security misconfigurations.
- [Terraform Plan](terraform-plan) - Scan HashiCorp Terraform Plan for security misconfigurations.
- [Terraform State](terraform-state) - Scan HashiCorp Terraform State output for security misconfigurations.
Expand Down Expand Up @@ -53,9 +52,10 @@ jobs:
steps:
- uses: actions/checkout@v3
- uses: mondoohq/actions/k8s-manifest@main
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: k8s/*.yaml
path: k8s/manifest.yaml
```
Simple scan of Terraform files:
Expand All @@ -71,8 +71,9 @@ jobs:
- uses: actions/checkout@v3

- uses: mondoohq/actions/terraform-hcl@main
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: terraform
```
Expand Down Expand Up @@ -115,8 +116,9 @@ jobs:
secrets: GIT_AUTH_TOKEN=${{ secrets.GIT_AUTH_TOKEN }}
- name: Scan Docker Image with Mondoo
uses: mondoohq/actions/docker-image@main
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
image: ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
- name: Build and push
uses: docker/build-push-action@v3
Expand Down
26 changes: 4 additions & 22 deletions action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,34 +6,16 @@ branding:
inputs:
args:
description: >-
Additional arguments to pass to Mondoo Client.
Additional arguments to pass to cnspec client.
required: false
log-level:
description: >-
Sets the log level: error, warn, info, debug, trace (default "info")
default: info
required: false
output:
description: >-
Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")
default: compact
required: false
service-account-credentials:
description: "Base64 encoded service account credentials used to authenticate with Mondoo Platform"
required: true
runs:
using: "composite"
steps:
- name: Install Mondoo Client
run: |
echo Installing Mondoo Client...
echo ${{ inputs.service-account-credentials }} | base64 -d > mondoo.json
curl -sSL https://mondoo.com/install.sh | bash
shell: bash
- name: Run Mondoo
shell: bash
run: >
mondoo ${{ inputs.args }}
--output ${{ inputs.output }}
--log-level ${{ inputs.log-level }}
--config mondoo.json
- uses: "docker://mondoo/cnspec:7"
with:
args: ${{ inputs.args }} --log-level "${{ inputs.log-level }}"
21 changes: 13 additions & 8 deletions aws/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,17 @@ A GitHub Action for using Mondoo to check for misconfigurations in your AWS acco

The Mondoo AWS Action has properties which are passed to the underlying image. These are passed to the action using `with`.

| Property | Required | Default | Description |
| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `args` | false | | Additional arguments to pass to Mondoo Client. |
| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") |
| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") |
| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |
| `service-account-credentials` | true | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
| Property | Required | Default | Description |
| ----------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") |
| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") |
| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |

Additionally, you need to specify the service account credentials as an environment variable.

| Environment | Required | Default | Description |
| ---------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `MONDOO_CONFIG_BASE64` | true | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |

## Scan AWS account example

Expand All @@ -36,8 +40,9 @@ jobs:
role-session-name: MySessionName

- uses: mondoohq/actions/aws@main
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
output: compact
score-threshold: 0
```
34 changes: 11 additions & 23 deletions aws/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,6 @@ branding:
icon: "shield"
color: "purple"
inputs:
args:
description: >-
Additional arguments to pass to Mondoo Client.
required: false
log-level:
description: >-
Sets the log level: error, warn, info, debug, trace (default "info")
Expand All @@ -24,23 +20,15 @@ inputs:
Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).
default: "0"
required: false
service-account-credentials:
description: "Base64 encoded service account credentials used to authenticate with Mondoo Platform"
required: true
runs:
using: "composite"
steps:
- run: |
echo Installing Mondoo Client...
echo ${{ inputs.service-account-credentials }} | base64 -d > mondoo.json
curl -sSL https://mondoo.com/install.sh | bash
shell: bash
- name: Scan AWS account
shell: bash
run: >
mondoo scan aws
--output ${{ inputs.output }}
--score-threshold ${{ inputs.score-threshold }}
--log-level ${{ inputs.log-level }}
${{ inputs.args }}
--config mondoo.json
using: "docker"
image: "docker://mondoo/cnspec:7"
args:
- scan
- aws
- --output
- ${{ inputs.output }}
- --score-threshold
- ${{ inputs.score-threshold }}
- --log-level
- ${{ inputs.log-level }}
23 changes: 14 additions & 9 deletions docker-image/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,18 @@ A GitHub Action for using Mondoo to check for vulnerabilities and misconfigurati

The Mondoo Docker Image Action has properties which are passed to the underlying image. These are passed to the action using `with`.

| Property | Required | Default | Description |
| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `args` | false | | Additional arguments to pass to Mondoo Client. |
| `image` | true | | Docker image ID or `name:tag` to scan. |
| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") |
| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") |
| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |
| `service-account-credentials` | true | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
| Property | Required | Default | Description |
| ----------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `image` | true | | Docker image ID or `name:tag` to scan. |
| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") |
| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") |
| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |

Additionally, you need to specify the service account credentials as an environment variable.

| Environment | Required | Default | Description |
| ---------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `MONDOO_CONFIG_BASE64` | true | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |

You can use the Action as follows:

Expand Down Expand Up @@ -58,8 +62,9 @@ jobs:
secrets: GIT_AUTH_TOKEN=${{ secrets.GIT_AUTH_TOKEN }}
- name: Scan Docker Image
uses: mondoohq/actions/docker-image@main
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
image: ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
- name: Build and push
uses: docker/build-push-action@v3
Expand Down
39 changes: 13 additions & 26 deletions docker-image/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,6 @@ branding:
icon: "shield"
color: "purple"
inputs:
args:
description: "Additional arguments to pass to Mondoo Client"
required: false
image:
description: Docker image ID or name:tag to scan.
required: true
Expand All @@ -25,27 +22,17 @@ inputs:
Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).
default: "0"
required: false
service-account-credentials:
description: "Base64 encoded service account credentials used to authenticate with Mondoo Platform"
required: true
runs:
using: "composite"
steps:
- name: Install Mondoo Client
shell: bash
run: |
echo Installing Mondoo Client...
echo ${{ inputs.service-account-credentials }} | base64 -d > mondoo.json
curl -sSL https://mondoo.com/install.sh | bash
- name: Mondoo status
shell: bash
run: mondoo status --config mondoo.json
- name: Run mondoo scan docker image
shell: bash
run: >
mondoo scan docker image ${{ inputs.image }}
--output ${{ inputs.output }}
--score-threshold ${{ inputs.score-threshold }}
--log-level ${{ inputs.log-level }}
${{ inputs.args }}
--config mondoo.json
using: "docker"
image: "docker://mondoo/cnspec:7"
args:
- scan
- docker
- image
- ${{ inputs.image }}
- --output
- ${{ inputs.output }}
- --score-threshold
- ${{ inputs.score-threshold }}
- --log-level
- ${{ inputs.log-level }}
Loading

0 comments on commit 3b6da9c

Please sign in to comment.