6.2.4-6.2.8 #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CIS Azure Foundations v3.0.0 | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - test-pipeline | |
| pull_request: | |
| jobs: | |
| my-job: | |
| name: Validate the CIS Azure Foundations v3.0.0 Profile | |
| runs-on: ubuntu-latest | |
| env: | |
| CHEF_LICENSE: accept-silent | |
| CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | |
| RESULTS_FILE: azure_inspec_results.json | |
| THRESHOLD_FILE: inspec.threshold.yml | |
| INSPEC_INPUTS: ${{ secrets.INSPEC_INPUTS }} | |
| HEIMDALL_URL: https://heimdall-demo.mitre.org | |
| steps: | |
| - name: Install Packages | |
| run: sudo apt-get install -y jq curl | |
| - name: Install Az Module | |
| run: | | |
| Install-Module -Name Az -AllowClobber -Scope CurrentUser -Force | |
| Import-Module Az | |
| shell: pwsh | |
| - name: Check-out Repository | |
| uses: actions/checkout@v4 | |
| - name: Get Full Clone of Repository | |
| run: git fetch --prune --unshallow | |
| - name: Generate Short Commit SHA | |
| id: vars | |
| run: | | |
| calculatedSha=$(git rev-parse --short ${{ github.sha }}) | |
| echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | |
| - name: Display Short Commit SHA | |
| run: echo ${{ env.COMMIT_SHORT_SHA }} | |
| - name: Create Input File | |
| shell: bash | |
| run: | | |
| printf "%s" "${{ env.INSPEC_INPUTS }}" > inputs.yml | |
| - name: Setup Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: "3.1" | |
| - name: Disable ri and rdoc | |
| run: 'echo "gem: --no-document" >> ~/.gemrc' | |
| - name: Install Bundle Dependencies | |
| run: bundle install | |
| - name: Installed Inspec Version | |
| run: bundle exec inspec version | |
| - name: Vendor the InSpec Profile | |
| run: bundle exec inspec vendor --overwrite | |
| - name: Lint Inspec profile | |
| run: bundle exec inspec check . | |
| - name: Create Powershell Config File | |
| run: | | |
| echo '{ | |
| "version": "1.1", | |
| "cli_options": { | |
| "color": "true" | |
| }, | |
| "credentials": { | |
| "pwsh": { | |
| "pwsh-options": { | |
| "pwsh_path": "/usr/bin/pwsh" | |
| } | |
| } | |
| } | |
| }' > ~/.inspec/config.json | |
| - name: Run InSpec Profile | |
| run: | | |
| bundle exec inspec exec . --target pwsh://pwsh-options --input-file=inputs.yml --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true | |
| - name: Save Test Results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results | |
| path: | | |
| ./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} | |
| - name: Delete Input file | |
| run: rm -f input_file.yml | |
| - name: Upload to Heimdall | |
| run: | | |
| curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations" | |
| - name: Display ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} Results Summary | |
| uses: mitre/saf_action@v1 | |
| with: | |
| command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}" | |
| - name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} Meets Results Threshold | |
| uses: mitre/saf_action@v1 | |
| with: | |
| command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}" |