Skip to content

Update SAR source #1304

Update SAR source

Update SAR source #1304

Workflow file for this run

name: Update SAR source
on:
schedule:
- cron: '0 12 * * *'
workflow_dispatch:
jobs:
update:
name: Update
runs-on: macos-12
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v0
with:
project_id: ${{ secrets.GCP_PROJECT_ID }}
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true
credentials_file_path: gcreds
- name: Azure Login
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Manual
run: |
curl -v "https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"
pip3 install bs4 requests pyyaml inflect
python3 -u util/aws_parliament_update_iam_data.py > util/aws_js/iam_definition.json
sleep 1
mkdir -p gcp/roles/
cd gcp
rm -rf google-api-go-client
git clone --depth 1 https://github.com/googleapis/google-api-go-client.git
rm -rf google-api-go-client/.git
cd ..
gcloud iam roles list --show-deleted --format json > gcp/predefined_roles.json
gcloud iam roles list --show-deleted --format json | jq -r '.[]|[.name,(.name | split("/")[-1])] | @tsv' |
while IFS=$'\t' read -r name shortname; do
echo "Writing $shortname.json"
gcloud iam roles describe "$name" --format json > gcp/roles/$shortname.json || echo "Failure to write $shortname.json"
done
git clone https://github.com/iann0036/iam-privilege-catalog.git
python3 util/gcp_get_risks.py || true
rm -rf iam-privilege-catalog
python3 util/gcp_get_methods.py || true
python3 util/gcp_get_permissions.py || true
python3 util/gcp_compare_datasources.py || true
python3 util/gcp_crawl.py || true
rm -rf gcp/google-api-go-client
rm gcreds
git clone https://github.com/Azure/azure-rest-api-specs.git
python3 util/azure_process_spec.py
az provider operation list > azure/provider-operations.json
python3 util/azure_clean_provider_ops.py
az role definition list --query '[?roleType == `BuiltInRole`].{assignableScopes: assignableScopes, description: description, permissions: permissions, roleName: roleName, roleType: roleType, type: type}' > azure/built-in-roles-raw.json
python3 util/azure_process_roles.py > azure/built-in-roles.json
python3 util/azure_generate_map.py
python3 util/aws_patch_iam_definition.py
sleep 1
rm -rf docs/ update_iam_data.py
# sudo apt -y install git nodejs
git clone https://github.com/z0ph/MAMIP.git
git clone https://github.com/primeharbor/sensitive_iam_actions.git
python3 util/aws_add_managed_policies.py
python3 util/aws_generate_tags.py
cd util/aws_js
npm i
npm update aws-sdk
node aws_add_docs.js
cd ../..
rm -f aws/docs.json
mv util/aws_js/docs.json aws/docs.json
python3 util/aws_update_counts.py
- name: Commit files
env:
BOT_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
run: |
set -eux
git config --local user.email "githubbot@ian.mn"
git config --local user.name "Ian Mckay [bot]"
git add .
git commit -m "Update SAR data" -a || exit 0
remote_repo="https://iann0036-bot:${BOT_GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
git push "${remote_repo}" HEAD:main