Merge pull request #19 from mitre/sujay-dev #43

Workflow file for this run

	---
	name: CIS Azure Foundations v3.0.0

	on:
	push:
	branches:
	- main
	- test-pipeline
	pull_request:

	jobs:
	my-job:
	name: Validate the CIS Azure Foundations v3.0.0 Profile

	runs-on: ubuntu-latest

	env:
	CHEF_LICENSE: accept-silent
	CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
	RESULTS_FILE: azure_inspec_results.json
	THRESHOLD_FILE: inspec.threshold.yml
	INSPEC_INPUTS: ${{ secrets.INSPEC_INPUTS }}
	HEIMDALL_URL: https://heimdall-demo.mitre.org

	steps:
	- name: Install Packages
	run: sudo apt-get install -y jq curl

	- name: Install Az and MgGraph Modules
	run: \|
	If($null -eq (get-module -listavailable -name "az")){install-module az -Force -AllowClobber}
	If($null -eq (get-module -name "az")){import-module az}
	If($null -eq (get-module -listavailable -name "microsoft.graph")){install-module microsoft.graph -Force -AllowClobber}
	If($null -eq (get-module -name "microsoft.graph")){import-module microsoft.graph}
	shell: pwsh

	- name: Check-out Repository
	uses: actions/checkout@v4

	- name: Get Full Clone of Repository
	run: git fetch --prune --unshallow

	- name: Generate Short Commit SHA
	id: vars
	run: \|
	calculatedSha=$(git rev-parse --short ${{ github.sha }})
	echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV

	- name: Display Short Commit SHA
	run: echo ${{ env.COMMIT_SHORT_SHA }}

	- name: Create Input File
	shell: bash
	run: \|
	printf "%s" "${{ env.INSPEC_INPUTS }}" > inputs.yml

	- name: Setup Ruby
	uses: ruby/setup-ruby@v1
	with:
	ruby-version: "3.1"

	- name: Disable ri and rdoc
	run: 'echo "gem: --no-document" >> ~/.gemrc'

	- name: Install Bundle Dependencies
	run: bundle install

	- name: Installed Inspec Version
	run: bundle exec inspec version

	- name: Vendor the InSpec Profile
	run: bundle exec inspec vendor --overwrite

	- name: Lint Inspec profile
	run: bundle exec inspec check .

	- name: Create Powershell Config File
	run: \|
	echo '{
	"version": "1.1",
	"cli_options": {
	"color": "true"
	},
	"credentials": {
	"pwsh": {
	"pwsh-options": {
	"pwsh_path": "/usr/bin/pwsh"
	}
	}
	}
	}' > ~/.inspec/config.json

	- name: Run InSpec Profile
	run: \|
	bundle exec inspec exec . \
	--controls=azure-foundations-cis-6.2.1 azure-foundations-cis-6.2.2 \
	--input client_id=${{ secrets.AZURE_CLIENT_ID }} tenant_id=${{ secrets.AZURE_TENANT_ID }} client_secret=${{ secrets.AZURE_CLIENT_SECRET }} subscription_id=${{ secrets.AZURE_SUBSCRIPTION_ID }} \
	--input-file=inputs_template.yml \
	--reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} \
	--enhanced-outcomes \
	--filter-empty-profiles \|\| true

	- name: Save Test Results
	uses: actions/upload-artifact@v4
	with:
	name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
	path: \|
	./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}

	- name: Delete Input file
	run: rm -f input_file.yml

	- name: Upload to Heimdall
	run: \|
	curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations"

	- name: Display ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} Results Summary
	uses: mitre/saf_action@v1
	with:
	command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}"

	- name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} Meets Results Threshold
	uses: mitre/saf_action@v1
	with:
	command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #19 from mitre/sujay-dev #43

Workflow file

Merge pull request #19 from mitre/sujay-dev #43

Jobs

Run details

Workflow file for this run