Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

starting with the current finished-state pipeline #9

Closed
wants to merge 5 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 63 additions & 13 deletions .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
@@ -1,23 +1,73 @@
name: Demo Gold Image Pipeline for NGINX
name: Demo Security Validation Gold Image Pipeline

on:
pull_request: # trigger this action on any pull request
branches: [ main ] # against main branch
push:
branches:
- main
branches: [ main, pipeline ] # trigger this action on any push to main branch

jobs:
gold-image:
name: Gold Image Pipeline
gold-image:
name: Gold Image NGINX
runs-on: ubuntu-20.04
env:
CHEF_LICENSE: accept
PROFILE: my_nginx
CHEF_LICENSE: accept # so that we can use InSpec without manually accepting the license
PROFILE: my_nginx # path to our profile
steps:
- name: Update ubuntu
run: sudo apt-get update -y

- name: PREP - Install InSpec executable
- name: PREP - Update runner # updating all dependencies is always a good start
run: sudo apt-get update
- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5

- name: PREP - Install profile
uses: actions/checkout@v3
- name: PREP - Check out this repository # because that's where our profile is!
uses: actions/checkout@v3

- name: LINT - Run InSpec Check # double-check that we don't have any serious issues in our profile code
run: inspec check $PROFILE

- name: DEPLOY - Run a Docker container from nginx
run: docker run -dit --name nginx nginx:latest

- name: DEPLOY - Install Python for our nginx container
run: |
docker exec nginx apt-get update -y
docker exec nginx apt-get install -y python3

- name: HARDEN - Fetch Ansible role
run: |
git clone --branch docker https://github.com/mitre/ansible-nginx-stigready-hardening.git || true
chmod 755 ansible-nginx-stigready-hardening

- name: HARDEN - Fetch Ansible requirements
run: ansible-galaxy install -r ansible-nginx-stigready-hardening/requirements.yml

- name: HARDEN - Run Ansible hardening
run: ansible-playbook --inventory=nginx, --connection=docker ansible-nginx-stigready-hardening/hardening-playbook.yml

- name: VALIDATE - Run InSpec
continue-on-error: true # we dont want to stop if our InSpec run finds failures, we want to continue and record the result
run: |
inspec exec $PROFILE \
--input-file=$PROFILE/inputs-linux.yml \
--target docker://nginx \
--reporter cli json:results/pipeline_run.json

- name: VALIDATE - Save Test Result JSON # save our results to the pipeline artifacts, even if the InSpec run found failing tests
uses: actions/upload-artifact@v3
with:
path: results/pipeline_run.json

- name: VALIDATE - Upload to Heimdall
continue-on-error: true
run: |
curl -# -s -F data=@results/pipeline_run.json -F "filename=${{ github.actor }}-pipeline-demo-${{ github.sha }}.json" -F "public=false" -F "evaluationTags=${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_API_KEY }}" "https://heimdall-demo.mitre.org/evaluations"

- name: VERIFY - Display our results summary
uses: mitre/saf_action@v1
with:
command_string: "view summary -i results/pipeline_run.json"

- name: VERIFY - Ensure the scan meets our results threshold
uses: mitre/saf_action@v1 # check if the pipeline passes our defined threshold
with:
command_string: "validate threshold -i results/pipeline_run.json -F threshold.yml"
Loading