Integrating Prancer Enterprise CLI with GitHub Actions for IaC Static Code Analysis

Blog

Integrating Prancer Enterprise CLI with GitHub Actions for IaC Static Code Analysis

Blog

Ajey Khanapuri
July 6, 2021

Introduction

Prancer Cloud Security Platform allows users to run static code analysis for Infrastructure as Code (IaC) and post-deployment monitoring (CSPM). DevOps engineers can integrate the static code analysis and security scan of IaC into a Continuous Integration (CI) tool. In this blog post, we will look into using Prancer Enterprise CLI (aka prutil) to run static code analysis on IAC test cases in a GitHub Actions workflow.

High-level steps

The high-level scenario would be as:

DevOps engineer using Prancer portal Configuration Wizard to create a new static code analysis in an IaC collection (How to use configuration wizard) All the secrets will be entered in Github repo secret manager. GitHub Actions workflow will be created and configured. DevOps engineer creates or modifies cloud resources files (IaC) and push the code to the remote git to raise a Pull Request (PR) GitHub Actions workflow kicks in to do static code analysis on the commit.

Configuring GitHub Actions for static code analysis with Prancer Enterprise CLI

Browse to your GitHub repository where you store IaC templates
Add a GitHub action and create a new workflow and name it as deployvalidation.yaml
click on settings and add secrets for: -- server = https://portal.prancer.io/ -- spaceid = <assigned and copy from -/configuration/list/> -- company = -- username = -- password =

GitHub Actions workflow detail

Edit the deployvalidation.yaml as below:


    # Install jp to query failed results, this uses jmespath querying json output.

    - name: Install jp for getting descriptions of failed results.

       run: wget https://github.com/jmespath/jp/releases/download/0.1.2/jp-linux-amd64 -O /tmp/jp && chmod +x /tmp/jp



    # Runs a set of commands using the runners shell

    - name: Run a prancer-cli(prutil) to run  Test_IAC_deployment_solution

      run: |

          # Install prutil

          pip install prancer_cli

          # Update the config file with customer, url and customer

          echo "[DEFAULT]" > $HOME/.prancer/config

          echo "server = ${{ secrets.server }}" >> $HOME/.prancer/config

          echo "spaceid = ${{ secrets.spaceid }}" >> $HOME/.prancer/config

          echo "customer = ${{ secrets.customer }}" >> $HOME/.prancer/config

          # Get the token

          prutil -u ${{ secrets.username }} -p "${{ secrets.password }}" -l

          # Crawl the collection

          prutil -c Test_IAC_deployment_solution

          # Let the crawling operation start

          sleep 10

          # Run the compliance for the collection

          prutil -t Test_IAC_deployment_solution

          sleep 10

          # Get the results of the run

          prutil -r Test_IAC_deployment_solution > /tmp/results

          val=`grep failed /tmp/results`

          if [ ! -z "$val" ]; then

             # ls -l /tmp/jp

             cat /tmp/results  |  /tmp/jp  "[?result=='failed'].{title: title, description: description}"

             echo "Test_IAC_deployment_solution failed!"

             exit 1

          else

             echo "echo "Test_IAC_deployment_solution passed!"

             exit 0

          fi

Save the deployvalidation.yaml and let the GitHub Action becomes live.

Note: the workflow file is available in our GitHub repo: https://github.com/prancer-io/prancer-captain-helm/blob/master/.github/workflows/deploy.yaml

This should create a GitHub Action workflow to be initiated before a pull request can be merged to the Main branch for release and deployment of the resources.

GitHub Actions workflow run

Good luck with static code analysis of the IAC deployment resources using Prancer Enterprise CLI (prutil)

#DevSecOps