diff --git a/.github/workflows/ensure-docs-compiled.yaml b/.github/workflows/ensure-docs-compiled.yaml new file mode 100644 index 0000000..1dc8139 --- /dev/null +++ b/.github/workflows/ensure-docs-compiled.yaml @@ -0,0 +1,24 @@ +name: Ensure Docs are Compiled +on: + push: +jobs: + ensure-docs-compiled: + runs-on: ubuntu-latest + steps: + - name: Checkout 🛎 + uses: actions/checkout@v2 + - uses: actions/setup-go@v4 + with: + go-version: '1.21.x' + - shell: bash + run: make build-docs + - shell: bash + run: | + if [[ -z "$(git status -s)" ]]; then + echo "OK" + else + echo "Docs have been updated, but the compiled docs have not been committed." + echo "Run 'make build-docs', and commit the result to resolve this error." + exit 1 + fi + diff --git a/.github/workflows/notify-integration-release-via-manual.yaml b/.github/workflows/notify-integration-release-via-manual.yaml new file mode 100644 index 0000000..5f30a5d --- /dev/null +++ b/.github/workflows/notify-integration-release-via-manual.yaml @@ -0,0 +1,50 @@ +# Manual release workflow is used for deploying documentation updates +# on the specified branch without making an official plugin release. +name: Notify Integration Release (Manual) +on: + workflow_dispatch: + inputs: + version: + description: "The release version (semver)" + default: 1.0.0 + required: false + branch: + description: "A branch or SHA" + default: 'main' + required: false +jobs: + notify-release: + runs-on: ubuntu-latest + steps: + - name: Checkout this repo + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + ref: ${{ github.event.inputs.branch }} + # Ensure that Docs are Compiled + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + - shell: bash + run: make generate + - shell: bash + run: | + if [[ -z "$(git status -s)" ]]; then + echo "OK" + else + echo "Docs have been updated, but the compiled docs have not been committed." + echo "Run 'make generate', and commit the result to resolve this error." + exit 1 + fi + # Perform the Release + - name: Checkout integration-release-action + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + repository: hashicorp/integration-release-action + path: ./integration-release-action + - name: Notify Release + uses: ./integration-release-action + with: + # The integration identifier will be used by the Packer team to register the integration + # the expected format is packer// + integration_identifier: "packer/mondoohq/cnspec" + release_version: ${{ github.event.inputs.version }} + release_sha: ${{ github.event.inputs.branch }} + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/notify-integration-release-via-tag.yaml b/.github/workflows/notify-integration-release-via-tag.yaml new file mode 100644 index 0000000..c71ab00 --- /dev/null +++ b/.github/workflows/notify-integration-release-via-tag.yaml @@ -0,0 +1,54 @@ +name: Notify Integration Release (Tag) +on: + push: + tags: + - '*.*.*' # Proper releases +jobs: + strip-version: + runs-on: ubuntu-latest + outputs: + packer-version: ${{ steps.strip.outputs.packer-version }} + steps: + - name: Strip leading v from version tag + id: strip + env: + REF: ${{ github.ref_name }} + run: | + echo "packer-version=$(echo "$REF" | sed -E 's/v?([0-9]+\.[0-9]+\.[0-9]+)/\1/')" >> "$GITHUB_OUTPUT" + notify-release: + needs: + - strip-version + runs-on: ubuntu-latest + steps: + - name: Checkout this repo + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + ref: ${{ github.ref }} + # Ensure that Docs are Compiled + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + - shell: bash + run: make generate + - shell: bash + run: | + if [[ -z "$(git status -s)" ]]; then + echo "OK" + else + echo "Docs have been updated, but the compiled docs have not been committed." + echo "Run 'make generate', and commit the result to resolve this error." + exit 1 + fi + # Perform the Release + - name: Checkout integration-release-action + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + repository: hashicorp/integration-release-action + path: ./integration-release-action + - name: Notify Release + uses: ./integration-release-action + with: + # The integration identifier will be used by the Packer team to register the integration + # the expected format is packer// + integration_identifier: "packer/mondoohq/cnspec" + release_version: ${{ needs.strip-version.outputs.packer-version }} + release_sha: ${{ github.ref }} + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.web-docs/README.md b/.web-docs/README.md new file mode 100644 index 0000000..26adb97 --- /dev/null +++ b/.web-docs/README.md @@ -0,0 +1,45 @@ +Packer plugin [cnspec](https://github.com/mondoohq/cnspec) by [Mondoo](https://mondoo.com) scans Linux and Windows [HashiCorp Packer](https://www.packer.io) builds for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using [cnspec-policies](https://github.com/mondoohq/cnspec-policies) to uncover common misconfigurations that open your hosts to the risk of attack. cnspec supports scanning of Linux, Windows, and macOS, as well as Docker containers. + +Packer plugin cnspec is designed to work in one of two modes: + +- **Unregistered** - In unregistered mode, the plugin works without being registered to Mondoo Platform, and is designed to provide baseline security scanning with minimal configuration. The plugin runs either the [Linux Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-linux-security.mql.yaml) policy on Linux builds, or the [Windows Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-windows-security.mql.yaml) policy on Windows builds. Each of these policies provides security hardening checks based off of industry standards for Linux and Windows. Scan results are shown in STDOUT during the Packer run. +- **Registered** - In registered mode, the plugin is registered to your account in Mondoo Platform using a service account. Registered mode allows you to configure and customize any of the policies in Mondoo Platform including CIS benchmarks and more. Scan results are shown in STDOUT and sent back to Mondoo Platform for your records. + +### Installation + +To install this plugin, copy and paste this code into your Packer configuration, then run [`packer init`](https://www.packer.io/docs/commands/init). + +```hcl +packer { + required_plugins { + cnspec = { + version = ">= 9.0.0" + source = "github.com/mondoohq/cnspec" + } + } +} +``` + +Alternatively, you can use `packer plugins install` to manage installation of this plugin. + +```sh +$ packer plugins install github.com/mondoohq/cnspec +``` + +### Components + +#### Provisioners + +- [cnspec](/packer/integrations/mondoohq/cnspec/latest/components/provisioner/cnspec) - Packer plugin [cnspec](https://github.com/mondoohq/cnspec) by [Mondoo](https://mondoo.com) scans +Linux and Windows machine images for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using [cnspec-policies](https://github.com/mondoohq/cnspec-policies) to uncover common misconfigurations that open your hosts to the risk of attack. +- [mondoo](/packer/integrations/mondoohq/cnspec/latest/components/provisioner/mondoo) - The `mondoo` provisioner scans [Packer](https://www.packer.io) builds for vulnerabilities and misconfigurations by executing security +policies-as-code enabled in [Mondoo Platform](https://console.mondoo.com). Mondoo Platform comes stocked with an ever-increasing collection of +certified security policies which can be easily customize to meet your needs. + +### Tutorials + +Check out the Packer tutorials on the Mondoo documentation site: + +- [Building secure AMIs with Mondoo and Packer](https://mondoo.com/docs/cnspec/cnspec-aws/cnspec-aws-packer/) +- [Building secure VM images in Google Cloud with cnspec and HashiCorp Packer](https://mondoo.com/docs/cnspec/cnspec-gcp/cnspec-gcp-packer/) + diff --git a/.web-docs/components/provisioner/cnspec/README.md b/.web-docs/components/provisioner/cnspec/README.md new file mode 100644 index 0000000..4bddbf1 --- /dev/null +++ b/.web-docs/components/provisioner/cnspec/README.md @@ -0,0 +1,110 @@ +Type: `cnspec` + +Packer plugin [cnspec](https://github.com/mondoohq/cnspec) by [Mondoo](https://mondoo.com) scans Linux and Windows machine images for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using [cnspec-policies](https://github.com/mondoohq/cnspec-policies) to uncover common misconfigurations that open your hosts to the risk of attack. + +## Basic Example +```hcl +provisioner "cnspec" { + on_failure = "continue" + score_threshold = 85 + sudo { + active = true + } +} +``` + +## Configuration Reference + +Optional Parameters: + + +- `host_alias` (string) - The alias by which the host should be known. + Defaults to `default`. + +- `user` (string) - The `user` set for your communicator. Defaults to the `user` set + by packer. + +- `local_port` (uint) - The port on which to attempt to listen for SSH + connections. This value is a starting point. The provisioner will attempt + listen for SSH connections on the first available of ten ports, starting at + `local_port`. A system-chosen port is used when `local_port` is missing or + empty. + +- `ssh_host_key_file` (string) - The SSH key that will be used to run the SSH + server on the host machine to forward commands to the target machine. + packer connects to this server and will validate the identity of the + server using the system known_hosts. The default behavior is to generate + and use a onetime key. + +- `ssh_authorized_key_file` (string) - The SSH public key of the packer `ssh_user`. + The default behavior is to generate and use a onetime key. + +- `use_sftp` (bool) - packer's SFTP proxy is not reliable on some unix/linux systems, + therefore we recommend to use scp as default for packer proxy + +- `debug` (bool) - Sets the log level to `DEBUG` + +- `asset_name` (string) - The asset name passed to Mondoo Platform. Defaults to the hostname + of the instance. + +- `on_failure` (string) - Configure behavior whether packer should fail if `scan_threshold` is + not met. If `scan_threshold` configuration is omitted, the threshold + is set to `0` and builds will pass regardless of what score is + returned. + If `score_threshold` is set to a value, and `on_failure = "continue"` + builds will continue regardless of what score is returned. + +- `labels` (map[string]string) - Configure an optional map of labels for the asset data in Mondoo Platform. + +- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset data in + Mondoo Platform. + +- `incognito` (bool) - Configures incognito mode. Defaults to `true`. When set to false, scan results + will not be sent to Mondoo Platform. + +- `policies` ([]string) - A list of policies to be executed (requires incognito mode). + +- `policybundle` (string) - A path to local policy bundle file. + +- `sudo` (\*SudoConfig) - Run mondoo scan with `--sudo`. Defaults to none. + +- `winrm_user` (string) - Configure WinRM user. Defaults to `user` set by the packer communicator. + +- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer communicator. + +- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy + for cases where the provisioner cannot access the target directly + NOTE: we have seen cases with the vsphere builder + +- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact") + +- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to `0` which results in + a passing score regardless of what scan results are returned. + +- `mondoo_config_path` (string) - The path to the Mondoo client config. Defaults to `$HOME/.config/mondoo/mondoo.yml` + + + + +### SudoConfig + + +- `active` (bool) - Active + + + + +## Get Started with cnspec + +If you are new to cnspec, check out [Get started with cnspec](https://mondoo.com/docs/cnspec/). + +## Packer plugin cnspec tutorial + +Check out the Packer tutorials on the Mondoo documentation site: + +- [Building secure AMIs with Mondoo and Packer](https://mondoo.com/docs/cnspec/cnspec-aws/cnspec-aws-packer/) +- [Building secure VM images in Google Cloud with cnspec and HashiCorp Packer](https://mondoo.com/docs/cnspec/cnspec-gcp/cnspec-gcp-packer/) + +## Sample Packer Templates + +You can find example Packer templates in the [examples](https://github.com/mondoohq/packer-plugin-cnspec/tree/main/examples) directory in this repository. diff --git a/.web-docs/components/provisioner/mondoo/README.md b/.web-docs/components/provisioner/mondoo/README.md new file mode 100644 index 0000000..ca231d8 --- /dev/null +++ b/.web-docs/components/provisioner/mondoo/README.md @@ -0,0 +1,122 @@ +Type: `mondoo` + +>This plugin has been deprecated. Migrate to [Packer plugin cnspec by Mondoo](https://developer.hashicorp.com/packer/plugins/provisioner/mondoo/cnspec) for even easier security scanning of your Packer builds. + +The `mondoo` provisioner scans [Packer](https://www.packer.io) builds for vulnerabilities and misconfigurations by executing security +policies-as-code enabled in [Mondoo Platform](https://console.mondoo.com). Mondoo Platform comes stocked with an ever-increasing collection of +certified security policies which can be easily customize to meet your needs. + +Mondoo supports scanning of Linux, Windows, and macOS, as well as Docker containers. + +## Basic Example +```hcl + provisioner "mondoo" { + on_failure = "continue" + mondoo_config_path = "/etc/mondoo-config.json" + score_threshold = 85 + asset_name = "example-secure-base-image" + sudo { + active = true + } + + annotations = { + Source_AMI = "{{ .SourceAMI }}" + Creation_Date = "{{ .SourceAMICreationDate }}" + } + } +} +``` + +## Configuration Reference + +Optional Parameters: + + +- `host_alias` (string) - The alias by which the host should be known. + Defaults to `default`. + +- `user` (string) - The `user` set for your communicator. Defaults to the `user` set + by packer. + +- `local_port` (uint) - The port on which to attempt to listen for SSH + connections. This value is a starting point. The provisioner will attempt + listen for SSH connections on the first available of ten ports, starting at + `local_port`. A system-chosen port is used when `local_port` is missing or + empty. + +- `ssh_host_key_file` (string) - The SSH key that will be used to run the SSH + server on the host machine to forward commands to the target machine. + packer connects to this server and will validate the identity of the + server using the system known_hosts. The default behavior is to generate + and use a onetime key. + +- `ssh_authorized_key_file` (string) - The SSH public key of the packer `ssh_user`. + The default behavior is to generate and use a onetime key. + +- `use_sftp` (bool) - packer's SFTP proxy is not reliable on some unix/linux systems, + therefore we recommend to use scp as default for packer proxy + +- `debug` (bool) - Sets the log level to `DEBUG` + +- `asset_name` (string) - The asset name passed to Mondoo Platform. Defaults to the hostname + of the instance. + +- `on_failure` (string) - Configure behavior whether packer should fail if `scan_threshold` is + not met. If `scan_threshold` configuration is omitted, the threshold + is set to `0` and builds will pass regardless of what score is + returned. + If `score_threshold` is set to a value, and `on_failure = "continue"` + builds will continue regardless of what score is returned. + +- `labels` (map[string]string) - Configure an optional map of labels for the asset data in Mondoo Platform. + +- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset data in + Mondoo Platform. + +- `incognito` (bool) - Configures incognito mode. Defaults to `true`. When set to false, scan results + will not be sent to Mondoo Platform. + +- `policies` ([]string) - A list of policies to be executed (requires incognito mode). + +- `policybundle` (string) - A path to local policy bundle file. + +- `sudo` (\*SudoConfig) - Run mondoo scan with `--sudo`. Defaults to none. + +- `winrm_user` (string) - Configure WinRM user. Defaults to `user` set by the packer communicator. + +- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer communicator. + +- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy + for cases where the provisioner cannot access the target directly + NOTE: we have seen cases with the vsphere builder + +- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact") + +- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to `0` which results in + a passing score regardless of what scan results are returned. + +- `mondoo_config_path` (string) - The path to the mondoo client config. Defaults to `$HOME/.config/mondoo/mondoo.yml` + + + + +### SudoConfig + + +- `active` (bool) - Active + + + + +## Get Started with Mondoo + +If you are new to Mondoo you can get started by [signing up for a free account](https://mondoo.com/docs/tutorials/mondoo/account-setup/) today! + +Check out the Packer tutorials on the Mondoo documentation site: + +- [Building secure AMIs with Mondoo and Packer](https://mondoo.com/docs/cnspec/cnspec-aws/cnspec-aws-packer/) +- [Building secure VM images in Google Cloud with cnspec and HashiCorp Packer](https://mondoo.com/docs/cnspec/cnspec-gcp/cnspec-gcp-packer/) + +## Sample Packer Templates + +You can find example Packer templates in the [examples](https://github.com/mondoohq/packer-plugin-cnspec/tree/main/examples) directory in this repository. diff --git a/.web-docs/metadata.hcl b/.web-docs/metadata.hcl new file mode 100644 index 0000000..d8690dd --- /dev/null +++ b/.web-docs/metadata.hcl @@ -0,0 +1,17 @@ +# For full specification on the configuration of this file visit: +# https://github.com/hashicorp/integration-template#metadata-configuration +integration { + name = "Mondoo" + description = "Scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations." + identifier = "packer/mondoohq/cnspec" + component { + type = "provisioner" + name = "Mondoo" + slug = "mondoo" + } + component { + type = "provisioner" + name = "cnspec" + slug = "cnspec" + } +} diff --git a/.web-docs/scripts/compile-to-webdocs.sh b/.web-docs/scripts/compile-to-webdocs.sh new file mode 100755 index 0000000..51a7238 --- /dev/null +++ b/.web-docs/scripts/compile-to-webdocs.sh @@ -0,0 +1,129 @@ +#!/usr/bin/env bash + +# Converts the folder name that the component documentation file +# is stored in into the integration slug of the component. +componentTypeFromFolderName() { + if [[ "$1" = "builders" ]]; then + echo "builder" + elif [[ "$1" = "provisioners" ]]; then + echo "provisioner" + elif [[ "$1" = "post-processors" ]]; then + echo "post-processor" + elif [[ "$1" = "datasources" ]]; then + echo "data-source" + else + echo "" + fi +} + +# $1: The content to adjust links +# $2: The organization of the integration +rewriteLinks() { + local result="$1" + local organization="$2" + + urlSegment="([^/]+)" + urlAnchor="(#[^/]+)" + + # Rewrite Component Index Page links to the Integration root page. + # + # (\1) (\2) (\3) + # /packer/plugins/datasources/amazon#anchor-tag--> + # /packer/integrations/hashicorp/amazon#anchor-tag + local find="\(\/packer\/plugins\/$urlSegment\/$urlSegment$urlAnchor?\)" + local replace="\(\/packer\/integrations\/$organization\/\2\3\)" + result="$(echo "$result" | sed -E "s/$find/$replace/g")" + + + # Rewrite Component links to the Integration component page + # + # (\1) (\2) (\3) (\4) + # /packer/plugins/datasources/amazon/parameterstore#anchor-tag --> + # /packer/integrations/{organization}/amazon/latest/components/datasources/parameterstore + local find="\(\/packer\/plugins\/$urlSegment\/$urlSegment\/$urlSegment$urlAnchor?\)" + local replace="\(\/packer\/integrations\/$organization\/\2\/latest\/components\/\1\/\3\4\)" + result="$(echo "$result" | sed -E "s/$find/$replace/g")" + + # Rewrite the Component URL segment from the Packer Plugin format + # to the Integrations format + result="$(echo "$result" \ + | sed "s/\/datasources\//\/data-source\//g" \ + | sed "s/\/builders\//\/builder\//g" \ + | sed "s/\/post-processors\//\/post-processor\//g" \ + | sed "s/\/provisioners\//\/provisioner\//g" \ + )" + + echo "$result" +} + +# $1: Docs Dir +# $2: Web Docs Dir +# $3: Component File +# $4: The org of the integration +processComponentFile() { + local docsDir="$1" + local webDocsDir="$2" + local componentFile="$3" + + local escapedDocsDir="$(echo "$docsDir" | sed 's/\//\\\//g' | sed 's/\./\\\./g')" + local componentTypeAndSlug="$(echo "$componentFile" | sed "s/$escapedDocsDir\///g" | sed 's/\.mdx//g')" + + # Parse out the Component Slug & Component Type + local componentSlug="$(echo "$componentTypeAndSlug" | cut -d'/' -f 2)" + local componentType="$(componentTypeFromFolderName "$(echo "$componentTypeAndSlug" | cut -d'/' -f 1)")" + if [[ "$componentType" = "" ]]; then + echo "Failed to process '$componentFile', unexpected folder name." + echo "Documentation for components must be stored in one of:" + echo "builders, provisioners, post-processors, datasources" + exit 1 + fi + + + # Calculate the location of where this file will ultimately go + local webDocsFolder="$webDocsDir/components/$componentType/$componentSlug" + mkdir -p "$webDocsFolder" + local webDocsFile="$webDocsFolder/README.md" + local webDocsFileTmp="$webDocsFolder/README.md.tmp" + + # Copy over the file to its webDocsFile location + cp "$componentFile" "$webDocsFile" + + # Remove the Header + local lastMetadataLine="$(grep -n -m 2 '^\-\-\-' "$componentFile" | tail -n1 | cut -d':' -f1)" + cat "$webDocsFile" | tail -n +"$(($lastMetadataLine+2))" > "$webDocsFileTmp" + mv "$webDocsFileTmp" "$webDocsFile" + + # Remove the top H1, as this will be added automatically on the web + cat "$webDocsFile" | tail -n +3 > "$webDocsFileTmp" + mv "$webDocsFileTmp" "$webDocsFile" + + # Rewrite Links + rewriteLinks "$(cat "$webDocsFile")" "$4" > "$webDocsFileTmp" + mv "$webDocsFileTmp" "$webDocsFile" +} + +# Compiles the Packer SDC compiled docs folder down +# to a integrations-compliant folder (web docs) +# +# $1: The directory of the plugin +# $2: The directory of the SDC compiled docs files +# $3: The output directory to place the web-docs files +# $4: The org of the integration +compileWebDocs() { + local docsDir="$1/$2" + local webDocsDir="$1/$3" + + echo "Compiling MDX docs in '$2' to Markdown in '$3'..." + # Create the web-docs directory if it hasn't already been created + mkdir -p "$webDocsDir" + + # Copy the README over + cp "$docsDir/README.md" "$webDocsDir/README.md" + + # Process all MDX component files (exclude index files, which are unsupported) + for file in $(find "$docsDir" | grep "$docsDir/.*/.*\.mdx" | grep --invert-match "index.mdx"); do + processComponentFile "$docsDir" "$webDocsDir" "$file" "$4" + done +} + +compileWebDocs "$1" "$2" "$3" "$4" diff --git a/Makefile b/Makefile index b301d6e..5535bc0 100644 --- a/Makefile +++ b/Makefile @@ -49,7 +49,7 @@ dev/macos: build @mkdir -p ~/.packer.d/plugins/github.com/mondoohq/cnspec/ @mv ${BINARY} ~/.packer.d/plugins/github.com/mondoohq/cnspec/${BINARY}_v${VERSION}_macos_amd64 @cat ~/.packer.d/plugins/github.com/mondoohq/cnspec/packer-plugin-cnspec_v${VERSION}_macos_amd64 | shasum --tag | cut -d"=" -f2 | tr -d " " > ~/.packer.d/plugins/github.com/mondoohq/cnspec/packer-plugin-cnspec_v${VERSION}_macos_amd64_SHA256SUM - + test: @go test -race -count $(COUNT) $(TEST) -timeout=3m @@ -59,10 +59,6 @@ test/golanglint: install-packer-sdc: ## Install packer software development command @go install github.com/hashicorp/packer-plugin-sdk/cmd/packer-sdc@${HASHICORP_PACKER_PLUGIN_SDK_VERSION} -ci-release-docs: install-packer-sdc - @packer-sdc renderdocs -src docs -partials docs-partials/ -dst docs/ - @/bin/sh -c "[ -d docs ] && zip -r docs.zip docs/" - plugin-check: install-packer-sdc build @packer-sdc plugin-check ${BINARY} @@ -71,8 +67,10 @@ testacc: dev generate: install-packer-sdc @go generate ./... - packer-sdc renderdocs -src ./docs -dst ./.docs -partials ./docs-partials - # checkout the .docs folder for a preview of the docs + @rm -rf .docs + @packer-sdc renderdocs -src "docs" -partials docs-partials/ -dst ".docs/" + @./.web-docs/scripts/compile-to-webdocs.sh "." ".docs" ".web-docs" "mondoohq" + @rm -rf ".docs" # Copywrite Check Tool: https://github.com/hashicorp/copywrite license: license/headers/check @@ -81,4 +79,4 @@ license/headers/check: copywrite headers --plan license/headers/apply: - copywrite headers \ No newline at end of file + copywrite headers diff --git a/docs-partials/provisioner/Config-not-required.mdx b/docs-partials/provisioner/Config-not-required.mdx index 03fd6d2..eca4db8 100644 --- a/docs-partials/provisioner/Config-not-required.mdx +++ b/docs-partials/provisioner/Config-not-required.mdx @@ -42,7 +42,7 @@ Mondoo Platform. - `incognito` (bool) - Configures incognito mode. Defaults to `true`. When set to false, scan results - will not be sent to the Mondoo platform. + will not be sent to the Mondoo Platform. - `policies` ([]string) - A list of policies to be executed (requires incognito mode). diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..26adb97 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,45 @@ +Packer plugin [cnspec](https://github.com/mondoohq/cnspec) by [Mondoo](https://mondoo.com) scans Linux and Windows [HashiCorp Packer](https://www.packer.io) builds for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using [cnspec-policies](https://github.com/mondoohq/cnspec-policies) to uncover common misconfigurations that open your hosts to the risk of attack. cnspec supports scanning of Linux, Windows, and macOS, as well as Docker containers. + +Packer plugin cnspec is designed to work in one of two modes: + +- **Unregistered** - In unregistered mode, the plugin works without being registered to Mondoo Platform, and is designed to provide baseline security scanning with minimal configuration. The plugin runs either the [Linux Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-linux-security.mql.yaml) policy on Linux builds, or the [Windows Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-windows-security.mql.yaml) policy on Windows builds. Each of these policies provides security hardening checks based off of industry standards for Linux and Windows. Scan results are shown in STDOUT during the Packer run. +- **Registered** - In registered mode, the plugin is registered to your account in Mondoo Platform using a service account. Registered mode allows you to configure and customize any of the policies in Mondoo Platform including CIS benchmarks and more. Scan results are shown in STDOUT and sent back to Mondoo Platform for your records. + +### Installation + +To install this plugin, copy and paste this code into your Packer configuration, then run [`packer init`](https://www.packer.io/docs/commands/init). + +```hcl +packer { + required_plugins { + cnspec = { + version = ">= 9.0.0" + source = "github.com/mondoohq/cnspec" + } + } +} +``` + +Alternatively, you can use `packer plugins install` to manage installation of this plugin. + +```sh +$ packer plugins install github.com/mondoohq/cnspec +``` + +### Components + +#### Provisioners + +- [cnspec](/packer/integrations/mondoohq/cnspec/latest/components/provisioner/cnspec) - Packer plugin [cnspec](https://github.com/mondoohq/cnspec) by [Mondoo](https://mondoo.com) scans +Linux and Windows machine images for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using [cnspec-policies](https://github.com/mondoohq/cnspec-policies) to uncover common misconfigurations that open your hosts to the risk of attack. +- [mondoo](/packer/integrations/mondoohq/cnspec/latest/components/provisioner/mondoo) - The `mondoo` provisioner scans [Packer](https://www.packer.io) builds for vulnerabilities and misconfigurations by executing security +policies-as-code enabled in [Mondoo Platform](https://console.mondoo.com). Mondoo Platform comes stocked with an ever-increasing collection of +certified security policies which can be easily customize to meet your needs. + +### Tutorials + +Check out the Packer tutorials on the Mondoo documentation site: + +- [Building secure AMIs with Mondoo and Packer](https://mondoo.com/docs/cnspec/cnspec-aws/cnspec-aws-packer/) +- [Building secure VM images in Google Cloud with cnspec and HashiCorp Packer](https://mondoo.com/docs/cnspec/cnspec-gcp/cnspec-gcp-packer/) + diff --git a/provisioner/provisioner.go b/provisioner/provisioner.go index a41952e..aad89bf 100644 --- a/provisioner/provisioner.go +++ b/provisioner/provisioner.go @@ -88,7 +88,7 @@ type Config struct { // Mondoo Platform. Annotations map[string]string `mapstructure:"annotations"` // Configures incognito mode. Defaults to `true`. When set to false, scan results - // will not be sent to the Mondoo platform. + // will not be sent to Mondoo Platform. Incognito bool `mapstructure:"incognito"` // A list of policies to be executed (requires incognito mode). Policies []string `mapstructure:"policies"`