Merge pull request #10 from wdower/pipeline

Pipeline
mitre · Oct 8, 2024 · 89ac152 · 89ac152
2 parents 51edccf + 5191e0d
commit 89ac152
Show file tree

Hide file tree

Showing 4 changed files with 106 additions and 13 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -1,23 +1,93 @@
-name: Demo Gold Image Pipeline for NGINX
+name: Demo Security Validation Gold Image Pipeline
 
-on:
+# define the triggers for this action
+on:                                             
   push:
-    branches:
-      - main
+    # trigger this action on any push to main branch
+    branches: [ main, pipeline ]                
 
 jobs:
-  gold-image: 
-    name: Gold Image Pipeline
+  gold-image:
+    name: Gold Image NGINX
     runs-on: ubuntu-20.04
     env:
-      CHEF_LICENSE: accept
-      PROFILE: my_nginx
+       # so that we can use InSpec without manually accepting the license
+      CHEF_LICENSE: accept  
+       # path to our profile                   
+      PROFILE: my_nginx                        
     steps:
-      - name: Update ubuntu
-        run: sudo apt-get update -y
+      # updating all dependencies is always a good start
+      - name: PREP - Update runner              
+        run: sudo apt-get update
 
-      - name: PREP - Install InSpec executable
+      - name: PREP - Install InSpec executable 
         run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
 
-      - name: PREP - Install profile
-        uses: actions/checkout@v3
+      - name: PREP - Install SAF CLI
+        run: npm install -g @mitre/saf
+
+      # checkout the profile, because that's where our profile is!
+      - name: PREP - Check out this repository  
+        uses: actions/checkout@v3
+
+      # double-check that we don't have any serious issues in our profile code
+      - name: LINT - Run InSpec Check           
+        run: inspec check $PROFILE
+
+      # launch a container as the test target
+      - name: DEPLOY - Run a Docker container from nginx
+        run: docker run -dit --name nginx nginx:latest
+
+      # install dependencies on the container so that hardening will work
+      - name: DEPLOY - Install Python for our nginx container
+        run: |
+          docker exec nginx apt-get update -y
+          docker exec nginx apt-get install -y python3
+
+      # fetch the hardening role and requirements
+      - name: HARDEN - Fetch Ansible role
+        run: |
+          git clone --branch docker https://github.com/mitre/ansible-nginx-stigready-hardening.git || true
+          chmod 755 ansible-nginx-stigready-hardening
+
+      - name: HARDEN - Fetch Ansible requirements
+        run: ansible-galaxy install -r ansible-nginx-stigready-hardening/requirements.yml
+
+      # harden!
+      - name: HARDEN - Run Ansible hardening
+        run: ansible-playbook --inventory=nginx, --connection=docker ansible-nginx-stigready-hardening/hardening-playbook.yml
+
+      - name: VALIDATE - Run InSpec
+        # we dont want to stop if our InSpec run finds failures, we want to continue and record the result
+        continue-on-error: true                
+        run: |
+          inspec exec $PROFILE \
+          --input-file=$PROFILE/inputs-linux.yml \
+          --target docker://nginx \
+          --reporter cli json:results/pipeline_run.json
+
+      # attest
+      - name: VALIDATE - Apply an Attestation
+        run: |
+          saf attest apply -i results/pipeline_run.json attestation.json -o results/pipeline_run_attested.json
+
+      # save our results to the pipeline artifacts, even if the InSpec run found failing tests
+      - name: VALIDATE - Save Test Result JSON  
+        uses: actions/upload-artifact@v3
+        with:
+          path: results/pipeline_run_attested.json
+
+      # drop off the data with our dashboard
+      - name: VALIDATE - Upload to Heimdall
+        continue-on-error: true
+        run: |
+          curl -# -s -F data=@results/pipeline_run_attested.json -F "filename=${{ github.actor }}-pipeline-demo-${{ github.sha }}.json" -F "public=true" -F "evaluationTags=${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_API_KEY }}" "https://heimdall-demo.mitre.org/evaluations"
+
+      - name: VERIFY - Display our results summary 
+        run: |
+          saf view summary -i results/pipeline_run_attested.json
+      
+      # check if the pipeline passes our defined threshold
+      - name: VERIFY - Ensure the scan meets our results threshold           
+        run: |
+          saf validate threshold -i results/pipeline_run_attested.json -F threshold.yml
diff --git a/attestation.json b/attestation.json
@@ -0,0 +1,10 @@
+[
+    {
+        "control_id": "nginx-interview",
+        "explanation": "Interview determined that security policy is being followed.",
+        "frequency": "1d",
+        "status": "passed",
+        "updated": "3000-01-01",
+        "updated_by": "John Doe"
+    }
+]
diff --git a/my_nginx/controls/example.rb b/my_nginx/controls/example.rb
@@ -53,3 +53,13 @@
     end
   end
 end
+
+control 'nginx-interview' do
+  impact 1.0
+  title 'NGINX interview'
+  desc 'NGINX admins should have documentation on security procedures.'
+
+  describe "Manual Review" do
+    skip "This control must be manually reviewed."
+  end
+end
diff --git a/threshold.yml b/threshold.yml
@@ -0,0 +1,3 @@
+error:
+  total:
+    max: 0