Compliance as Code

Compliance as code as the name implies we are writing set of compliance-controls as the code To achieve compliance as code I have used Inspec tool Instead of writing the controls on my own I have used premade compliance check written by the community. I have used devsec linux profile to check my Infrastructure against the CIS compliance

Github Actions

name: Compliance as code 

on:
  push:

jobs:
  checkout-repo:
    runs-on: ubuntu-latest
    steps:
    - name : Installing Inspec  
      run : |
        curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
        inspec version 
    - name: Setting up chef 
      run : |
           echo "$SSH_KEY" >  pentest_key
           chmod 600 pentest_key
           inspec exec https://github.com/dev-sec/linux-baseline --key-files <key-location> --target ssh://root@$IP --chef-license accept
           
           
           
      env:
        SSH_KEY: ${{secrets.KEY}}
        IP: ${{secrets.IP}}

Reference

1. https://github.com/dev-sec/linux-baseline
2. https://docs.chef.io/inspec/install/