235 lines
6.3 KiB
YAML
235 lines
6.3 KiB
YAML
# GitHub Actions CI/CD Pipeline with OPA Policy Validation
|
|
name: OPA Policy Validation
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
|
|
jobs:
|
|
# Test OPA policies with unit tests
|
|
test-policies:
|
|
name: Test OPA Policies
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2
|
|
with:
|
|
version: latest
|
|
|
|
- name: Run Policy Tests
|
|
run: |
|
|
opa test policies/ --verbose --coverage
|
|
opa test policies/ --coverage --format=json > coverage.json
|
|
|
|
- name: Check Coverage Threshold
|
|
run: |
|
|
COVERAGE=$(jq -r '.coverage' coverage.json | awk '{print int($1)}')
|
|
if [ "$COVERAGE" -lt 80 ]; then
|
|
echo "Coverage $COVERAGE% is below threshold 80%"
|
|
exit 1
|
|
fi
|
|
echo "Coverage: $COVERAGE%"
|
|
|
|
# Validate Kubernetes manifests
|
|
validate-kubernetes:
|
|
name: Validate Kubernetes Configs
|
|
runs-on: ubuntu-latest
|
|
needs: test-policies
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2
|
|
|
|
- name: Validate Kubernetes Manifests
|
|
run: |
|
|
for file in k8s/**/*.yaml; do
|
|
echo "Validating $file"
|
|
opa eval --data policies/ --input "$file" \
|
|
--format pretty 'data.kubernetes.admission.deny' \
|
|
> violations.txt
|
|
|
|
if [ -s violations.txt ]; then
|
|
echo "Policy violations found in $file:"
|
|
cat violations.txt
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
- name: Generate Validation Report
|
|
if: always()
|
|
run: |
|
|
./scripts/generate_report.py \
|
|
--policy policies/ \
|
|
--audit-logs violations.json \
|
|
--format html \
|
|
--output validation-report.html
|
|
|
|
- name: Upload Report
|
|
if: always()
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: validation-report
|
|
path: validation-report.html
|
|
|
|
# Validate Terraform configurations
|
|
validate-terraform:
|
|
name: Validate Terraform Configs
|
|
runs-on: ubuntu-latest
|
|
needs: test-policies
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup Terraform
|
|
uses: hashicorp/setup-terraform@v2
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2
|
|
|
|
- name: Terraform Init
|
|
run: terraform init
|
|
|
|
- name: Generate Terraform Plan
|
|
run: |
|
|
terraform plan -out=tfplan.binary
|
|
terraform show -json tfplan.binary > tfplan.json
|
|
|
|
- name: Validate with OPA
|
|
run: |
|
|
opa eval --data policies/terraform/ --input tfplan.json \
|
|
--format pretty 'data.terraform.security.deny' \
|
|
> terraform-violations.json
|
|
|
|
if [ -s terraform-violations.json ]; then
|
|
echo "Terraform policy violations detected:"
|
|
cat terraform-violations.json
|
|
exit 1
|
|
fi
|
|
|
|
# Compliance validation for production
|
|
compliance-check:
|
|
name: Compliance Validation
|
|
runs-on: ubuntu-latest
|
|
if: github.ref == 'refs/heads/main'
|
|
needs: [validate-kubernetes, validate-terraform]
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2
|
|
|
|
- name: SOC2 Compliance Check
|
|
run: |
|
|
opa eval --data policies/compliance/soc2-compliance.rego \
|
|
--input deployments/ \
|
|
--format json 'data.compliance.soc2.deny' \
|
|
> soc2-violations.json
|
|
|
|
- name: PCI-DSS Compliance Check
|
|
run: |
|
|
opa eval --data policies/compliance/pci-dss-compliance.rego \
|
|
--input deployments/ \
|
|
--format json 'data.compliance.pci.deny' \
|
|
> pci-violations.json
|
|
|
|
- name: GDPR Compliance Check
|
|
run: |
|
|
opa eval --data policies/compliance/gdpr-compliance.rego \
|
|
--input deployments/ \
|
|
--format json 'data.compliance.gdpr.deny' \
|
|
> gdpr-violations.json
|
|
|
|
- name: Generate Compliance Report
|
|
run: |
|
|
./scripts/generate_report.py \
|
|
--policy policies/compliance/ \
|
|
--audit-logs soc2-violations.json \
|
|
--format html \
|
|
--output compliance-report.html
|
|
|
|
- name: Upload Compliance Report
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: compliance-report
|
|
path: compliance-report.html
|
|
|
|
- name: Fail on Violations
|
|
run: |
|
|
TOTAL_VIOLATIONS=$(cat *-violations.json | jq -s 'map(length) | add')
|
|
if [ "$TOTAL_VIOLATIONS" -gt 0 ]; then
|
|
echo "Found $TOTAL_VIOLATIONS compliance violations"
|
|
exit 1
|
|
fi
|
|
|
|
---
|
|
# GitLab CI/CD Pipeline Example
|
|
# .gitlab-ci.yml
|
|
|
|
stages:
|
|
- test
|
|
- validate
|
|
- compliance
|
|
|
|
variables:
|
|
OPA_VERSION: "latest"
|
|
|
|
test-policies:
|
|
stage: test
|
|
image: openpolicyagent/opa:${OPA_VERSION}
|
|
script:
|
|
- opa test policies/ --verbose --coverage
|
|
- opa test policies/ --format=json --coverage > coverage.json
|
|
artifacts:
|
|
reports:
|
|
coverage_report:
|
|
coverage_format: cobertura
|
|
path: coverage.json
|
|
|
|
validate-kubernetes:
|
|
stage: validate
|
|
image: openpolicyagent/opa:${OPA_VERSION}
|
|
script:
|
|
- |
|
|
for file in k8s/**/*.yaml; do
|
|
opa eval --data policies/ --input "$file" \
|
|
'data.kubernetes.admission.deny' || exit 1
|
|
done
|
|
only:
|
|
- merge_requests
|
|
- main
|
|
|
|
validate-terraform:
|
|
stage: validate
|
|
image: hashicorp/terraform:latest
|
|
before_script:
|
|
- apk add --no-cache curl jq
|
|
- curl -L -o /usr/local/bin/opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
|
|
- chmod +x /usr/local/bin/opa
|
|
script:
|
|
- terraform init
|
|
- terraform plan -out=tfplan.binary
|
|
- terraform show -json tfplan.binary > tfplan.json
|
|
- opa eval --data policies/terraform/ --input tfplan.json 'data.terraform.security.deny'
|
|
only:
|
|
- merge_requests
|
|
- main
|
|
|
|
compliance-check:
|
|
stage: compliance
|
|
image: openpolicyagent/opa:${OPA_VERSION}
|
|
script:
|
|
- opa eval --data policies/compliance/ --input deployments/ 'data.compliance'
|
|
artifacts:
|
|
reports:
|
|
junit: compliance-report.xml
|
|
only:
|
|
- main
|