diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ddf644e..7be3c09 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,33 +9,33 @@ jobs: name: Harden MongoDB Container runs-on: ubuntu-latest env: - foo: bar + REPORT_TO_HEIMDALL: "true" + HEIMDALL_URL: "https://heimdall-demo.mitre.org/evaluations" + HEIMDALL_API_KEY: ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }} steps: - - name: add dependencies + - name: Add Dependencies run: | sudo apt-get update - sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin - wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg - echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list - sudo apt update && sudo apt install packer + curl -fsSL https://get.docker.com -o get-docker.sh + curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - + sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" + sudo apt-get update && sudo apt-get install packer python3 -m pip install --user ansible python3 -m pip install --upgrade --user ansible - pip install jmespath npm install -g @mitre/saf - curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec - sudo apt-get install wget apt-transport-https gnupg lsb-release - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install trivy - - name: Clone repository in - uses: actions/checkout@v3 - - name: run packer + curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-auditor + + - name: Clone Repository + uses: actions/checkout@v4 + + - name: Run Packer run: | - packer init ubi8-hardening.pkr.hcl - packer build -var 'report={"report_to_heimdall":"false"}' . - - name: Save scan artifacts - uses: actions/upload-artifact@v3 + packer init mongo-hardening.pkr.hcl + packer build mongo-hardening.pkr.hcl + packer build -var "report_to_heimdall=${{env.REPORT_TO_HEIMDALL}}" -var "heimdall_url=${{ env.HEIMDALL_URL }}" -var "heimdall_api_key=${{ env.HEIMDALL_API_KEY }}" mongo-validate.pkr.hcl + + - name: Save Scan Artifacts + uses: actions/upload-artifact@v4 with: path: reports/*.json if: always() diff --git a/mongo-hardening.pkr.hcl b/mongo-hardening.pkr.hcl index cb00cc3..b924671 100644 --- a/mongo-hardening.pkr.hcl +++ b/mongo-hardening.pkr.hcl @@ -18,6 +18,7 @@ variable "ansible_vars" { # "ansible_connection" uses the docker socket instead of the default SSH connection. "ansible_connection" = "docker", "python_version" = "3.9" + "roles_path" = "spec/ansible/roles" } } @@ -82,11 +83,12 @@ build { provisioner "ansible" { playbook_file = "spec/ansible/mongo-stig-hardening-playbook.yml" galaxy_file = "spec/ansible/requirements.yml" + roles_path = "${var.ansible_vars.roles_path}" extra_arguments = [ "--extra-vars", "ansible_host=${var.output_image.name}", "--extra-vars", "ansible_connection=${var.ansible_vars.ansible_connection}", "--extra-vars", "ansible_python_interpreter=/usr/bin/python3", - "--extra-vars", "ansible_pip_executable=pip3" + "--extra-vars", "ansible_pip_executable=pip3", ] }