CIS Benchmark 2.0.0 update #33
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CIS AWS Foundations v2.0.0 | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| jobs: | |
| my-job: | |
| name: Validate my profile | |
| runs-on: ubuntu-latest | |
| env: | |
| CHEF_LICENSE: accept-silent | |
| CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | |
| RESULTS_FILE: inspec_results.json | |
| PROFILE_FILE: profile.json | |
| INPUT_FILE: testing.inputs.yml | |
| # KITCHEN_LOCAL_YAML: kitchen.ec2.yml | |
| # LC_ALL: "en_US.UTF-8" | |
| # strategy: | |
| # matrix: | |
| # suite: ['vanilla', 'hardened'] | |
| # fail-fast: false | |
| steps: | |
| - name: add needed packages | |
| run: sudo apt-get install -y jq | |
| - name: Configure AWS credentials | |
| env: | |
| AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }} | |
| AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }} | |
| uses: aws-actions/configure-aws-credentials@v2 | |
| with: | |
| aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| - name: Check out repository | |
| uses: actions/checkout@v3 | |
| - name: Clone full repository so we can push | |
| run: git fetch --prune --unshallow | |
| - name: Setup Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: "3.1" | |
| - name: Disable ri and rdoc | |
| run: 'echo "gem: --no-document" >> ~/.gemrc' | |
| - run: bundle install | |
| - name: Installed Inspec | |
| run: bundle exec inspec version | |
| # - name: Installed InSpec Plugins | |
| # run: bundle exec inspec plugin list | |
| - name: Vendor the InSpec Profile | |
| run: bundle exec inspec vendor --overwrite | |
| # - name: Regenerate current `profile.json` | |
| # run: | | |
| # bundle exec inspec export . --format json | jq . > ${{ env.PROFILE_FILE }} | |
| - name: Lint the Inspec profile | |
| run: bundle exec inspec check . | |
| # - name: Run kitchen test | |
| # run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-rhel-7 || true | |
| - name: Run the Profile | |
| run: | | |
| inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true | |
| - name: Save Test Result JSON | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| path: | | |
| ${{ env.RESULTS_FILE }} | |
| # ${{ env.PROFILE_FILE }} | |
| - name: "Display our ${{ env.RESULTS_FILE }} results summary" | |
| uses: mitre/saf_action@v1 | |
| with: | |
| command_string: "view summary -i ${{ env.RESULTS_FILE }}" | |
| - name: "Ensure the scan meets our ${{ env.RESULTS_FILE }} results threshold" | |
| uses: mitre/saf_action@v1 | |
| with: | |
| command_string: "validate threshold -i ${{ env.RESULTS_FILE }} -F cis-foundations.threshold.yml" |