M365 Profile Control Files #31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test the CIS M365 Profile | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| validate: | |
| name: Validate my profile | |
| runs-on: ubuntu-latest | |
| env: | |
| CHEF_LICENSE: accept-silent | |
| CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | |
| PLATFORM: "m365" | |
| LC_ALL: "en_US.UTF-8" | |
| steps: | |
| - name: Add needed packages | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install jq | |
| - name: Check out repository | |
| uses: actions/checkout@v4 | |
| - name: Set short git commit SHA | |
| id: vars | |
| run: | | |
| calculatedSha=$(git rev-parse --short ${{ github.sha }}) | |
| echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | |
| - name: Confirm git commit SHA output | |
| run: echo ${{ env.COMMIT_SHORT_SHA }} | |
| - name: Setup Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: "3.1" | |
| - name: Disable ri and rdoc | |
| run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' | |
| - name: Run Bundle Install | |
| run: bundle install | |
| - name: Check Inspec version | |
| run: bundle exec inspec version | |
| - name: Vendor the Profile | |
| run: bundle exec inspec vendor . --overwrite | |
| - name: Collect certificate file | |
| env: | |
| AUTH: ${{ secrets.SAF_M365_CERTIFICATE }} | |
| run: | | |
| echo "$AUTH" | base64 --decode > cert.pfx | |
| chmod 0400 cert.pfx | |
| - name: Run Inspec test | |
| continue-on-error: true | |
| run: | | |
| bundle exec inspec exec . \ | |
| --input client_id=${{secrets.SAF_M365_CLIENT_ID}} tenant_id=${{secrets.SAF_M365_TENANT_ID}} client_secret=${{secrets.SAF_M365_CLIENT_SECRET}} certificate_path=cert.pfx certificate_password=${{secrets.SAF_M365_CERTIFICATE_PASSWORD}} organization=${{secrets.SAF_M365_ORGANIZATION}} \ | |
| --controls=microsoft-365-foundations-1.3.1 \ | |
| --input-file=inputs.yml \ | |
| --enhanced-outcomes \ | |
| --reporter json:${{ env.PLATFORM }}-results.json | |
| - name: View results summary | |
| continue-on-error: true | |
| uses: mitre/[email protected] | |
| with: | |
| command_string: "view summary -j -i ${{ env.PLATFORM }}-results.json -o ${{ env.PLATFORM }}-summary.json" | |
| - name: Upload to Heimdall | |
| continue-on-error: true | |
| run: | | |
| curl -# -s -F data=@${{ env.PLATFORM }}-results.json -F "filename=${{ env.PLATFORM }}_${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" | |
| - name: Generate Markdown Summary | |
| continue-on-error: true | |
| id: generate-summary | |
| run: | | |
| python markdown-summary.py ${{ env.PLATFORM }}-summary.json > ${{ env.PLATFORM }}-markdown-summary.md | |
| cat ${{ env.PLATFORM }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY | |
| - name: Ensure the scan meets our results threshold | |
| uses: mitre/[email protected] | |
| with: | |
| command_string: "validate threshold -i ${{ env.PLATFORM }}-results.json -F threshold.yml" | |
| - name: Save Files from the Workflow | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.COMMIT_SHORT_SHA }}-artifacts | |
| path: | | |
| ./*.json |