DevOps
| Guides | Projects |
This is my DevOps Repo.
This serves as my Playground, Portfolio, Research-Notebook, Cheat-Sheet and Guide.
Guides
| TerrForm & Vault | Terraform & Proxmox |
Automated Infrastructure as Code (IaC) Status Checks, Rules, and Test Results
- Modern DevOps practices often adopt a “shift left” approach to security, which involves:
- Utilizing static configuration scanners every time someone attempts to push changes to our development or production branches.
- This proactive measure allows us to identify and address issues early on, preventing the accumulation of complex spaghetti code in later stages.
- For further reading on this topic, refer to this Red Hat blog post.
- Our goal is to scan IaC configurations prior to merging them and then share the test results through the GitHub Actions plugin. We will block any merges if the tests fail.
Preview
this is the pull request, but i closed it
Action Settings
- in order to use the publish test results plugin in our workflow we need to set the required
Action Permissions - to comment in the pull request and post testresults via API-call, we need to set the required
Workflow Permission
add our checkov workflow
- checkov is currently failing on its own job due to permission
- this will be fixed so check out my
and my related issue
- we use
junitxmlas our testresult format- [the publish test result plugin cant use the jsonformat checkov creates
- we need to clculate the duration manualy
- dont forget to use
if: always()for publishing test results, even if the tests fail
name: checkov
on:
push:
branches: [ "main", "development" ]
pull_request:
branches: [ "main", "development" ]
workflow_dispatch:
#permissions:
# contents: read
# actions: read
# checks: write
# packages: write
permissions: write-all # required permissions for commenting via API-call
jobs:
checkov_scan_and_upload_results: # this is the name of status check that we will use in our branch rule
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Get Start time
id: starttime
if: always()
run: |
start=$(date +%s)
echo "$start" > start_time.txt # i couldnt safe start time as env variable so i used cat
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install dependencies # install the dependencies (you could also use a preinstalled docker container)
run: |
pip install checkov
pip install gitpython
- name: Run Checkov scan # we run our scan and output to xml
run: |
checkov --directory . -o junitxml > checkov_results.xml
- name: Calculate Execution Time and Update JUnit XML # we calculate the duration and update xml using regex
if: always()
run: |
start=$(date +%s)
echo "starttime is" $start
END_TIME=$(date +%s)
echo "endtime is: " $END_TIME
read -r START_TIME < start_time.txt
START_TIMER=$((START_TIME)) # Konvertiere START_TIME in Millisekunden
EXECUTION_TIME=$(( (END_TIME - START_TIMER) /2 ))
echo "runtime is: " $EXECUTION_TIME
sed -i "s/time=\"0\"/time=\"$EXECUTION_TIME\"/" checkov_results.xml
- name: Publish Test Results # publish the results
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: checkov_results.xml
- name: Display Directory Contents and File Content # this is just for testing the job
if: always()
run: |
echo "Listing directory contents:"
ls -la
echo "Displaying"
cat ./checkov_results.xml
add a Branch-Rule for required Status Checks
- add a target branch
- search and add our job called
checkov_scan_and_upload_resultsin Status Checks that are required
thats it, you made it trough the tutorial! happy devopsing <3