{"id":50262740,"url":"https://github.com/ericcames/image.builder.pipeline","last_synced_at":"2026-05-27T11:40:52.203Z","repository":{"id":353221774,"uuid":"1218492061","full_name":"ericcames/image.builder.pipeline","owner":"ericcames","description":"Automation pipeline for building CIS-compliant images via Red Hat Image Builder, scanning with OpenSCAP, and generating policy compliance data","archived":false,"fork":false,"pushed_at":"2026-05-12T01:54:33.000Z","size":103,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-12T02:36:00.107Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ericcames.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-22T23:49:00.000Z","updated_at":"2026-05-12T01:54:35.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ericcames/image.builder.pipeline","commit_stats":null,"previous_names":["ericcames/image.builder.pipeline"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ericcames/image.builder.pipeline","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcames%2Fimage.builder.pipeline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcames%2Fimage.builder.pipeline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcames%2Fimage.builder.pipeline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcames%2Fimage.builder.pipeline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ericcames","download_url":"https://codeload.github.com/ericcames/image.builder.pipeline/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcames%2Fimage.builder.pipeline/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33564850,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-27T11:40:49.593Z","updated_at":"2026-05-27T11:40:52.198Z","avatar_url":"https://github.com/ericcames.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# image.builder.pipeline\n\nAutomation pipeline for building CIS-compliant images via Red Hat Image Builder,\nscanning with OpenSCAP, and generating structured policy compliance data for\n[rego_policy_libraries](https://github.com/ynotbhatc/rego_policy_libraries).\n\n## Overview\n\nThis pipeline automates three stages:\n\n1. **Build** — trigger a CIS-hardened image compose via the Red Hat Image Builder API\n2. **Scan** — deploy the image to AWS and extract OpenSCAP results\n3. **Generate** — parse SCAP results into `data.json` policy data files\n\nThe output feeds directly into the `golden_images/` policy module in `rego_policy_libraries`,\npopulating approved baseline values, exempt controls, and compliance thresholds.\n\n## Architecture\n\n```\nRed Hat Image Builder (console.redhat.com)\n        │\n        ▼ AMI\n   AWS EC2 (temp instance)\n        │\n        ▼ SCAP results (/root/openscap_data/)\n   OpenSCAP Parser\n        │\n        ▼\n   data.json → rego_policy_libraries/golden_images/\n```\n\n## Supported Platforms\n\n| Platform | CIS Benchmark | Status |\n|----------|--------------|--------|\n| RHEL 9 | CIS Level 1 Server | **Phase 1 — Complete** (score 98.07 / 95 gate — see [status](docs/cis-l1-rhel9-status.md)) |\n| RHEL 8 | CIS Level 1 Server | Phase 2 |\n| RHEL 10 | CIS Level 1 Server | Phase 2 — pending benchmark |\n| Windows Server 2022 | CIS Level 1 | Phase 3 |\n\nSee [ROADMAP.md](ROADMAP.md) for full platform schedule and\n[docs/cis-l1-rhel9-status.md](docs/cis-l1-rhel9-status.md) for the\nlatest RHEL 9 compliance snapshot.\n\n## Prerequisites\n\n- Red Hat account with Image Builder access (console.redhat.com)\n- Red Hat offline token in `~/.ansible/ansible.cfg` under `[galaxy_server.rh_certified]` as `token=`\n  (same token used for Automation Hub — obtain from console.redhat.com → Automation Hub → Connect to Hub → API token)\n- AWS credentials with EC2 permissions\n- Ansible collections (installed via requirements.yml)\n\n```bash\nansible-galaxy collection install -r collections/requirements.yml -p ./collections\n```\n\n## Quick Start\n\n```bash\ncp -r inventories/sample/ inventories/\u003ccustomer\u003e-\u003cplatform\u003e/\n\nexport AWS_ACCESS_KEY_ID=\u003ckey\u003e\nexport AWS_SECRET_ACCESS_KEY=\u003csecret\u003e\nexport AWS_DEFAULT_REGION=us-east-1\nexport AWS_ACCOUNT_ID=\u003cyour_aws_account_id\u003e\n\n# Full pipeline\nansible-playbook -i inventories/\u003ccustomer\u003e-\u003cplatform\u003e/ playbooks/build_cis_image.yml\nansible-playbook -i inventories/\u003ccustomer\u003e-\u003cplatform\u003e/ playbooks/deploy_and_scan.yml\nansible-playbook -i inventories/\u003ccustomer\u003e-\u003cplatform\u003e/ playbooks/generate_policy_data.yml\n```\n\n## Output\n\nGenerated `data.json` files are written to `output/\u003cplatform\u003e/data.json` and\nshould be copied into the appropriate `golden_images/` path in `rego_policy_libraries`.\n\n## Related Projects\n\n- [rego_policy_libraries](https://github.com/ynotbhatc/rego_policy_libraries) — OPA policy library this pipeline feeds\n- [aap.as.code](https://github.com/ericcames/aap.as.code) — AAP bootstrap and demo platform\n\n## License\n\nMIT — see [LICENSE](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericcames%2Fimage.builder.pipeline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fericcames%2Fimage.builder.pipeline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericcames%2Fimage.builder.pipeline/lists"}