-
Notifications
You must be signed in to change notification settings - Fork 1
136 lines (115 loc) · 4.47 KB
/
test_profile.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Test the CIS M365 Profile
on:
pull_request:
push:
branches:
- main
jobs:
validate:
name: Validate my profile
runs-on: ubuntu-latest
env:
CHEF_LICENSE: accept-silent
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
PLATFORM: "m365"
LC_ALL: "en_US.UTF-8"
steps:
- name: Add needed packages
run: |
sudo apt-get update
sudo apt-get -y install jq
- name: Check out repository
uses: actions/checkout@v4
- name: Set short git commit SHA
id: vars
run: |
calculatedSha=$(git rev-parse --short ${{ github.sha }})
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
- name: Confirm git commit SHA output
run: echo ${{ env.COMMIT_SHORT_SHA }}
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "3.1"
- name: Disable ri and rdoc
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
- name: Run Bundle Install
run: bundle install
- name: Check Inspec version
run: bundle exec inspec version
- name: Vendor the Profile
run: bundle exec inspec vendor . --overwrite
- name: Collect certificate file
env:
AUTH: ${{ secrets.SAF_M365_CERTIFICATE }}
run: |
echo "$AUTH" | base64 --decode > cert.pfx
chmod 0400 cert.pfx
- name: Create .inspec directory
run: mkdir -p .inspec
- name: Check pwsh path
run: |
if command -v pwsh > /dev/null 2>&1; then
echo "pwsh found at: $(which pwsh)"
else
echo "pwsh not found in PATH"
fi
- name: Create config json file
run: |
echo '{
"version": "1.1",
"cli_options": {
"color": "true"
},
"credentials": {
"pwsh": {
"pwsh-options": {
"client_id": "'"${{secrets.SAF_M365_CLIENT_ID}}"'",
"tenant_id": "'"${{secrets.SAF_M365_TENANT_ID}}"'",
"client_secret": "'"${{secrets.SAF_M365_CLIENT_SECRET}}"'",
"certificate_path": "cert.pfx",
"certificate_password": "'"${{secrets.SAF_M365_CERTIFICATE_PASSWORD}}"'",
"organization": "'"${{secrets.SAF_M365_ORGANIZATION}}"'",
"sharepoint_admin_url": "'"${{secrets.SAF_M365_SHAREPOINT_ADMIN_URL}}"'",
"pwsh_path": "'"${{secrets.SAF_M365_PWSH_PATH}}"'"
}
}
}
}' > ~/.inspec/config.json
- name: Verify config json file
run: |
# Print the contents of the config file
cat ~/.inspec/config.json
- name: Run Inspec test
continue-on-error: true
run: |
bundle exec inspec exec . \
-t pwsh://pwsh-options \
--input-file=inputs.yml \
--enhanced-outcomes \
--reporter json:${{ env.PLATFORM }}-results.json
- name: View results summary
continue-on-error: true
uses: mitre/[email protected]
with:
command_string: "view summary -j -i ${{ env.PLATFORM }}-results.json -o ${{ env.PLATFORM }}-summary.json"
- name: Upload to Heimdall
continue-on-error: true
run: |
curl -# -s -F data=@${{ env.PLATFORM }}-results.json -F "filename=${{ env.PLATFORM }}_${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
- name: Generate Markdown Summary
continue-on-error: true
id: generate-summary
run: |
python markdown-summary.py ${{ env.PLATFORM }}-summary.json > ${{ env.PLATFORM }}-markdown-summary.md
cat ${{ env.PLATFORM }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY
- name: Ensure the scan meets our results threshold
uses: mitre/[email protected]
with:
command_string: "validate threshold -i ${{ env.PLATFORM }}-results.json -F threshold.yml"
- name: Save Files from the Workflow
uses: actions/upload-artifact@v4
with:
name: ${{ env.COMMIT_SHORT_SHA }}-artifacts
path: |
./*.json