{"id":19260503,"url":"https://github.com/mitre/inspec-scanning-integration-gitlab","last_synced_at":"2025-09-20T01:47:23.030Z","repository":{"id":146198756,"uuid":"560934312","full_name":"mitre/inspec-scanning-integration-gitlab","owner":"mitre","description":"Sample templates for Gitlab CI/CD pipelines for testing InSpec profiles.","archived":false,"fork":false,"pushed_at":"2022-11-07T16:29:52.000Z","size":7894,"stargazers_count":3,"open_issues_count":0,"forks_count":3,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-04-11T15:15:37.400Z","etag":null,"topics":["gitlab","gitlab-ci","inspec","mitre-corporation","mitre-saf","pipelines","security-automation-framework"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitre.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-02T15:26:18.000Z","updated_at":"2024-07-23T16:23:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"59bb455c-0274-425a-a04e-53b4ad0cc3d0","html_url":"https://github.com/mitre/inspec-scanning-integration-gitlab","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mitre/inspec-scanning-integration-gitlab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Finspec-scanning-integration-gitlab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Finspec-scanning-integration-gitlab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Finspec-scanning-integration-gitlab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Finspec-scanning-integration-gitlab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitre","download_url":"https://codeload.github.com/mitre/inspec-scanning-integration-gitlab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Finspec-scanning-integration-gitlab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276032858,"owners_count":25573468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-19T02:00:09.700Z","response_time":108,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gitlab","gitlab-ci","inspec","mitre-corporation","mitre-saf","pipelines","security-automation-framework"],"created_at":"2024-11-09T19:21:22.276Z","updated_at":"2025-09-20T01:47:22.983Z","avatar_url":"https://github.com/mitre.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# InSpec Scanning Integration\n\nThis repository holds sample templates for running InSpec profiles in Gitlab CI pipelines. You can reference these templates in other projects' `gitlab.ci` files. For general information on Gitlab templates see the [documentation](https://docs.gitlab.com/ee/development/cicd/templates.html).\n\nThese templates were designed for _testing the InSpec profiles themselves_ against hardened and unhardened test systems (both containerized and cloud VM systems) to ensure they produce accurate scan results. They may serve as a jumping-off point for running InSpec in a Gitlab pipeline more generally.\n\n## Templates\n\nThe templates are located in the `./inspec-scanning-integration/templates` directory.\n\n### Check Template\n\nThe `check-template.yml` is a template that runs the `inspec check` command to verify the InSpec profile is properly formatted. \n\n### Lint Template\n\nThe `lint-template.yml` is a template that lints the `/controls` directory's Ruby code.\n\n### Dependencies Template\n\nThe `dependencies.yml` is a template that consolidates all templates into one file that can be imported by other projects. \n\n## Invoking Templates - Example\n\nYou will need to [mirror this repository](https://docs.gitlab.com/ee/user/project/repository/mirror/) inside your own Gitlab instance to make it visible to your other projects.\n\nReference these templates in the `gitlab.ci` file in your InSpec profile repository.\n\n``` yaml\ninclude:\n  - project: project/path/to/inspec-scanning-integration\n    ref: \"main\" # branch name of this repo you want to include\n    file: templates/templates.yml\n\nstages:\n  - verify\n\nkitchen-exec-container:\n  extends: .ci:stage:kitchen-exec:inspec\n  variables: # overwrite default variables in the template if necessary\n    KITCHEN_LOCAL_YAML: \"kitchen.dokken.yml\"\n\nkitchen-exec-ec2:\n  extends: .ci:stage:kitchen-exec:inspec\n  variables:\n    KITCHEN_LOCAL_YAML: \"kitchen.ec2.yml\"\n\nverify:\n  extends: .ci:stage:saf:verify\n  dependencies:\n    - kitchen-exec-ec2\n    - kitchen-exec-container\n```\n\nThis Gitlab pipeline will use the templates to test your InSpec code against both containers and EC2 VMs.\n\n### Test Kitchen\n\nNote that InSpec is invoked by way of Progress Chef's [Test Kitchen](https://docs.chef.io/workstation/kitchen/). Your InSpec profile should have some YAML files for configuring Kitchen.\n\nEx. kitchen.dokken.yml:\n``` yaml\n---\nprovisioner:\n  name: dummy\n\nplatforms:\n  - name: rhel7\n\ndriver:\n  name: dokken\n  pull_platform_image: false\n\ntransport:\n  name: dokken\n\nverifier:\n  input_files:\n    - container.inputs.yml\n  reporter:\n    - cli\n    - json:reports/raw/container-%{suite}-%{platform}.json\n\nsuites:\n  - name: vanilla\n    driver:\n      image: \u003c%= ENV['VANILLA_CONTAINER_IMAGE'] %\u003e\n  - name: hardened\n    driver:\n      image: \u003c%= ENV['HARDENED_CONTAINER_IMAGE'] %\u003e\n\n```\n\nAnd kitchen.ec2.yml:\n``` yaml\n---\nplatforms:\n  - name: rhel-7\n\ndriver:\n  name: ec2\n  aws_ssh_key_id: \u003c%= ENV['AWS_SSH_KEY_ID'] %\u003e\n  user_data: ./user_data.sh\n  tags:\n    POC: \u003c%= ENV['POC_TAG'] %\u003e\n  security_group_ids: \u003c%= ENV['SECURITY_GROUP_IDS'] %\u003e\n  region: \u003c%= ENV['AWS_REGION'] %\u003e\n  subnet_id: \u003c%= ENV['SUBNET_ID'] %\u003e\n  instance_type: t2.large\n  associate_public_ip: true\n\ntransport:\n  name: ssh\n  username: \u003c%= ENV['AWS_EC2_USER'] %\u003e\n  ssh_key: \u003c%= ENV['AWS_EC2_SSH_KEY'] %\u003e\n  connection_timeout: 10\n  connection_retries: 5\n\nverifier:\n  input_files:\n    - ec2.inputs.yml\n  reporter:\n    - cli\n    - json:reports/raw/ec2-%{suite}-%{platform}.json\n\nlifecycle:\n  post_create:\n    - remote: |\n        sudo yum -y install python3-pip\n        sudo python3 -m pip install --upgrade pip\n\n  pre_converge:\n    - remote: |\n        echo \"NOTICE - Updating the ec2-user to keep sudo working\"\n        sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user\n        echo \"NOTICE - updating ec2-user sudo config\"\n        sudo chmod 600 /etc/sudoers \u0026\u0026 sudo sed -i'' \"/ec2-user/d\" /etc/sudoers \u0026\u0026 sudo chmod 400 /etc/sudoers\n\nsuites:\n  - name: vanilla\n    driver:\n      image_id: \u003c%= ENV['AMI_ID'] %\u003e\n    provisioner:\n      name: ansible_playbook\n      playbook: test/ansible/rhel7STIG-ansible/vanilla.yml\n\n  - name: hardened\n    driver:\n      image_id: \u003c%= ENV['AMI_ID'] %\u003e\n    provisioner:\n      name: ansible_playbook\n      playbook: test/ansible/rhel7STIG-ansible/site.yml\n\n```\n\nIf Kitchen does not discover all of the config data it needs to execute in the file you specify, it will fill in the blanks using the default `kitchen.yml` file. So in the above case, where we want to run a pipeline that targets both containers and VMs, we would put variables that are common between both (such as the `verifier`, which is always going to be the InSpec profile we are trying to test) in a file called `kitchen.yml` that should also live at the root of your profile directory.\n\n``` yaml\ntransport:\n  name: ssh\n  max_ssh_sessions: 2\n\nverifier:\n  name: inspec\n  sudo: true\n  reporter:\n    - cli\n    - json:reports/raw/%{suite}-%{platform}.json\n  inspec_tests:\n    - name: RedHat Enterprise Linux 7 STIG\n      path: .\n  load_plugins: true\n\nprovisioner:\n  name: ansible_playbook\n  hosts: all\n  require_ansible_repo: true\n  require_chef_for_busser: false\n  require_ruby_for_busser: false\n  ansible_verbose: true\n  roles_path: test/ansible/rhel7STIG-ansible/roles\n\nsuites:\n  - name: vanilla\n  - name: hardened\n```\n\n### CI/CD Variables\n\nNote the Kitchen files include syntax to reference [CI/CD variables](https://docs.gitlab.com/ee/ci/variables/) set in the Gitlab repository settings (ex. `image_id: \u003c%= ENV['AMI_ID'] %\u003e`). CI/CD variables are copied over to the Gitlab runner as environment variables during pipeline execution. Ensure that data which should remain secret (*especially your AWS config*) are stored as CI/CD variables; do not commit them as code.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre%2Finspec-scanning-integration-gitlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitre%2Finspec-scanning-integration-gitlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre%2Finspec-scanning-integration-gitlab/lists"}