Skip to content

Commit

Permalink
Merge pull request #319 from ansible-lockdown/precommit
Browse files Browse the repository at this point in the history 
Precommit
  • Loading branch information
@uk-bolly
uk-bolly authored Sep 13, 2023
2 parents d2cb6c9 + 4fe5b3e commit 9e820c6
Show file tree
Hide file tree
Showing 10 changed files with 288 additions and 83 deletions.
1 change: 1 addition & 0 deletions .config/.gitleaks-report.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[]
182 changes: 182 additions & 0 deletions .config/.secrets.baseline
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
{
"version": "1.4.0",
"plugins_used": [
{
"name": "ArtifactoryDetector"
},
{
"name": "AWSKeyDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"name": "Base64HighEntropyString",
"limit": 4.5
},
{
"name": "BasicAuthDetector"
},
{
"name": "CloudantDetector"
},
{
"name": "DiscordBotTokenDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"name": "HexHighEntropyString",
"limit": 3.0
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "JwtTokenDetector"
},
{
"name": "KeywordDetector",
"keyword_exclude": ""
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "SendGridDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"filters_used": [
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_baseline_file",
"filename": ".config/.secrets.baseline"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
},
{
"path": "detect_secrets.filters.heuristic.is_indirect_reference"
},
{
"path": "detect_secrets.filters.heuristic.is_likely_id_string"
},
{
"path": "detect_secrets.filters.heuristic.is_lock_file"
},
{
"path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
},
{
"path": "detect_secrets.filters.heuristic.is_potential_uuid"
},
{
"path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
},
{
"path": "detect_secrets.filters.heuristic.is_sequential_string"
},
{
"path": "detect_secrets.filters.heuristic.is_swagger_file"
},
{
"path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json"
]
}
],
"results": {
"defaults/main.yml": [
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
"is_verified": false,
"line_number": 382,
"is_secret": false
}
],
"tasks/main.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
"is_verified": false,
"line_number": 22,
"is_secret": false
}
],
"tasks/parse_etc_password.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/parse_etc_password.yml",
"hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
"is_verified": false,
"line_number": 18
}
],
"vars/CentOS.yml": [
{
"type": "Hex High Entropy String",
"filename": "vars/CentOS.yml",
"hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b",
"is_verified": false,
"line_number": 6,
"is_secret": false
}
],
"vars/OracleLinux.yml": [
{
"type": "Hex High Entropy String",
"filename": "vars/OracleLinux.yml",
"hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb",
"is_verified": false,
"line_number": 9,
"is_secret": false
}
],
"vars/is_container.yml": [
{
"type": "Secret Keyword",
"filename": "vars/is_container.yml",
"hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
"is_verified": false,
"line_number": 377,
"is_secret": false
}
]
},
"generated_at": "2023-09-13T08:05:26Z"
}
32 changes: 0 additions & 32 deletions .github/ISSUE_TEMPLATE/bug_report.md
View file

This file was deleted.

21 changes: 0 additions & 21 deletions .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md
View file

This file was deleted.

17 changes: 0 additions & 17 deletions .github/ISSUE_TEMPLATE/question.md
View file

This file was deleted.

12 changes: 0 additions & 12 deletions .github/pull_request_template.md
View file

This file was deleted.

21 changes: 21 additions & 0 deletions .github/workflows/update_galaxy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---

# This is a basic workflow to help you get started with Actions

name: update galaxy

# Controls when the action will run.
# Triggers the workflow on merge request events to the main branch
on:
push:
branches:
- main
jobs:
update_role:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: robertdebock/galaxy-action@master
with:
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
git_branch: main
67 changes: 67 additions & 0 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
##### CI for use by github no need for action to be added
##### Inherited
ci:
autofix_prs: false
skip: [detect-aws-credentials, ansible-lint ]

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
hooks:
# Safety
- id: detect-aws-credentials
- id: detect-private-key

# git checks
- id: check-merge-conflict
- id: check-added-large-files
- id: check-case-conflict

# General checks
- id: trailing-whitespace
name: Trim Trailing Whitespace
description: This hook trims trailing whitespace.
entry: trailing-whitespace-fixer
language: python
types: [text]
args: [--markdown-linebreak-ext=md]
- id: end-of-file-fixer

# Scan for passwords
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: [ '--baseline', '.config/.secrets.baseline' ]
exclude: .config/.gitleaks-report.json

- repo: https://github.com/gitleaks/gitleaks
rev: v8.17.0
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v6.17.2
hooks:
- id: ansible-lint
name: Ansible-lint
description: This hook runs ansible-lint.
entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint
language: python
# do not pass files to ansible-lint, see:
# https://github.com/ansible/ansible-lint/issues/611
pass_filenames: false
always_run: true
additional_dependencies:
# https://github.com/pre-commit/pre-commit/issues/1526
# If you want to use specific version of ansible-core or ansible, feel
# free to override `additional_dependencies` in your own hook config
# file.
- ansible-core>=2.10.1

- repo: https://github.com/adrienverge/yamllint.git
rev: v1.32.0 # or higher tag
hooks:
- id: yamllint
16 changes: 16 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,22 @@ uses:
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel

## Local Testing

- Ansible

- ansible-base 2.10.17 - python 3.8
- ansible-core 2.13.4 - python 3.10
- ansible-core 2.15.1 - python 3.11

## Added Extras

- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory

```sh
pre-commit run
```

## Credits

This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.3.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked | cron"
ansible.builtin.cron:
name: Run AIDE integrity check
file: "{{ rhel7cis_aide_cron['cron_file'] }}"
cron_file: "{{ rhel7cis_aide_cron['cron_file'] }}"
user: "{{ rhel7cis_aide_cron['cron_user'] }}"
minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}"
hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}"
Expand Down

0 comments on commit 9e820c6

Please sign in to comment.