Addressed various issues #83
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test the CIS M365 Profile | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| validate: | |
| name: Validate my profile | |
| runs-on: ubuntu-latest | |
| env: | |
| CHEF_LICENSE: accept-silent | |
| CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | |
| PLATFORM: "m365" | |
| LC_ALL: "en_US.UTF-8" | |
| steps: | |
| - name: Add needed packages | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install jq | |
| - name: Check out repository | |
| uses: actions/checkout@v4 | |
| - name: Set short git commit SHA | |
| id: vars | |
| run: | | |
| calculatedSha=$(git rev-parse --short ${{ github.sha }}) | |
| echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | |
| - name: Confirm git commit SHA output | |
| run: echo ${{ env.COMMIT_SHORT_SHA }} | |
| - name: Setup Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: "3.1" | |
| - name: Disable ri and rdoc | |
| run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' | |
| - name: Run Bundle Install | |
| run: bundle install | |
| - name: Check Inspec version | |
| run: bundle exec inspec version | |
| - name: Vendor the Profile | |
| run: bundle exec inspec vendor . --overwrite | |
| - name: Collect certificate file | |
| env: | |
| AUTH: ${{ secrets.SAF_M365_CERTIFICATE }} | |
| run: | | |
| echo "$AUTH" | base64 --decode > cert.pfx | |
| chmod 0400 cert.pfx | |
| - name: Create .inspec directory | |
| run: mkdir -p .inspec | |
| - name: Check pwsh path | |
| run: | | |
| if command -v pwsh > /dev/null 2>&1; then | |
| echo "pwsh found at: $(which pwsh)" | |
| else | |
| echo "pwsh not found in PATH" | |
| fi | |
| - name: Install required modules for exchange, teams, and pnp | |
| shell: pwsh | |
| run: | | |
| Install-Module -Name ExchangeOnlineManagement -Force -Scope CurrentUser | |
| Import-Module ExchangeOnlineManagement | |
| Install-module MicrosoftTeams -Force -AllowClobber | |
| Import-module MicrosoftTeams | |
| Install-module PnP.PowerShell -Force -AllowClobber | |
| Import-module PnP.PowerShell | |
| - name: Create config json file | |
| run: | | |
| echo '{ | |
| "version": "1.1", | |
| "cli_options": { | |
| "color": "true" | |
| }, | |
| "credentials": { | |
| "pwsh": { | |
| "pwsh-options": { | |
| "client_id": "'"${{secrets.SAF_M365_CLIENT_ID}}"'", | |
| "tenant_id": "'"${{secrets.SAF_M365_TENANT_ID}}"'", | |
| "client_secret": "'"${{secrets.SAF_M365_CLIENT_SECRET}}"'", | |
| "certificate_path": "cert.pfx", | |
| "certificate_password": "'"${{secrets.SAF_M365_CERTIFICATE_PASSWORD}}"'", | |
| "organization": "'"${{secrets.SAF_M365_ORGANIZATION}}"'", | |
| "sharepoint_admin_url": "'"${{secrets.SAF_M365_SHAREPOINT_ADMIN_URL}}"'", | |
| "pwsh_path": "'"${{secrets.SAF_M365_PWSH_PATH}}"'" | |
| } | |
| } | |
| } | |
| }' > ~/.inspec/config.json | |
| - name: Verify config json file | |
| run: | | |
| # Print the contents of the config file | |
| cat ~/.inspec/config.json | |
| - name: Run Inspec test | |
| continue-on-error: true | |
| run: | | |
| bundle exec inspec exec . \ | |
| -t pwsh://pwsh-options \ | |
| --input-file=inputs.yml \ | |
| --enhanced-outcomes \ | |
| --reporter json:${{ env.PLATFORM }}-results.json | |
| - name: View results summary | |
| continue-on-error: true | |
| uses: mitre/[email protected] | |
| with: | |
| command_string: "view summary -j -i ${{ env.PLATFORM }}-results.json -o ${{ env.PLATFORM }}-summary.json" | |
| - name: Upload to Heimdall | |
| continue-on-error: true | |
| run: | | |
| curl -# -s -F data=@${{ env.PLATFORM }}-results.json -F "filename=${{ env.PLATFORM }}_${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" | |
| - name: Generate Markdown Summary | |
| continue-on-error: true | |
| id: generate-summary | |
| run: | | |
| python markdown-summary.py ${{ env.PLATFORM }}-summary.json > ${{ env.PLATFORM }}-markdown-summary.md | |
| cat ${{ env.PLATFORM }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY | |
| - name: Ensure the scan meets our results threshold | |
| uses: mitre/[email protected] | |
| with: | |
| command_string: "validate threshold -i ${{ env.PLATFORM }}-results.json -F threshold.yml" | |
| - name: Save Files from the Workflow | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.COMMIT_SHORT_SHA }}-artifacts | |
| path: | | |
| ./*.json |