https://github.com/ericcames/image.builder.pipeline
Automation pipeline for building CIS-compliant images via Red Hat Image Builder, scanning with OpenSCAP, and generating policy compliance data
https://github.com/ericcames/image.builder.pipeline
Last synced: about 1 month ago
JSON representation
Automation pipeline for building CIS-compliant images via Red Hat Image Builder, scanning with OpenSCAP, and generating policy compliance data
- Host: GitHub
- URL: https://github.com/ericcames/image.builder.pipeline
- Owner: ericcames
- License: mit
- Created: 2026-04-22T23:49:00.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-12T01:54:33.000Z (about 2 months ago)
- Last Synced: 2026-05-12T02:36:00.107Z (about 2 months ago)
- Language: Python
- Size: 101 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Roadmap: ROADMAP.md
Awesome Lists containing this project
README
# image.builder.pipeline
Automation pipeline for building CIS-compliant images via Red Hat Image Builder,
scanning with OpenSCAP, and generating structured policy compliance data for
[rego_policy_libraries](https://github.com/ynotbhatc/rego_policy_libraries).
## Overview
This pipeline automates three stages:
1. **Build** — trigger a CIS-hardened image compose via the Red Hat Image Builder API
2. **Scan** — deploy the image to AWS and extract OpenSCAP results
3. **Generate** — parse SCAP results into `data.json` policy data files
The output feeds directly into the `golden_images/` policy module in `rego_policy_libraries`,
populating approved baseline values, exempt controls, and compliance thresholds.
## Architecture
```
Red Hat Image Builder (console.redhat.com)
│
▼ AMI
AWS EC2 (temp instance)
│
▼ SCAP results (/root/openscap_data/)
OpenSCAP Parser
│
▼
data.json → rego_policy_libraries/golden_images/
```
## Supported Platforms
| Platform | CIS Benchmark | Status |
|----------|--------------|--------|
| RHEL 9 | CIS Level 1 Server | **Phase 1 — Complete** (score 98.07 / 95 gate — see [status](docs/cis-l1-rhel9-status.md)) |
| RHEL 8 | CIS Level 1 Server | Phase 2 |
| RHEL 10 | CIS Level 1 Server | Phase 2 — pending benchmark |
| Windows Server 2022 | CIS Level 1 | Phase 3 |
See [ROADMAP.md](ROADMAP.md) for full platform schedule and
[docs/cis-l1-rhel9-status.md](docs/cis-l1-rhel9-status.md) for the
latest RHEL 9 compliance snapshot.
## Prerequisites
- Red Hat account with Image Builder access (console.redhat.com)
- Red Hat offline token in `~/.ansible/ansible.cfg` under `[galaxy_server.rh_certified]` as `token=`
(same token used for Automation Hub — obtain from console.redhat.com → Automation Hub → Connect to Hub → API token)
- AWS credentials with EC2 permissions
- Ansible collections (installed via requirements.yml)
```bash
ansible-galaxy collection install -r collections/requirements.yml -p ./collections
```
## Quick Start
```bash
cp -r inventories/sample/ inventories/-/
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_DEFAULT_REGION=us-east-1
export AWS_ACCOUNT_ID=
# Full pipeline
ansible-playbook -i inventories/-/ playbooks/build_cis_image.yml
ansible-playbook -i inventories/-/ playbooks/deploy_and_scan.yml
ansible-playbook -i inventories/-/ playbooks/generate_policy_data.yml
```
## Output
Generated `data.json` files are written to `output//data.json` and
should be copied into the appropriate `golden_images/` path in `rego_policy_libraries`.
## Related Projects
- [rego_policy_libraries](https://github.com/ynotbhatc/rego_policy_libraries) — OPA policy library this pipeline feeds
- [aap.as.code](https://github.com/ericcames/aap.as.code) — AAP bootstrap and demo platform
## License
MIT — see [LICENSE](LICENSE)