Running on Travis¶
Running the Auditree framework from a CI like Travis can be really useful for executing your compliance checks periodically. Thus you can track the current level of compliance for different standards and also notify people whenever there is a failure, so it can be fixed in some way.
This can be done in many different ways, so you don’t have to follow this guide if it does not fit your requirements. However, it always useful to know what it is required so you can adapt this guide to your needs.
Basically, this will what you will need:
A
.travis.yml: this will define the Travis run which will runtravis/run.shscript.A git repository for storing generated evidence. You should create a private project/org for this.
Credentials generator: for that, a python script can be used for generating the credentials files from environment variables defined in Travis.
Results storage: check results are stored to the evidence locker as
check_results.json.
Bare in mind that a compliance check project is a bit tricky to
configure since you will be pushing new code there and also running
official compliance executions. You can resolve this issue by
having 2 Git repositories: one for check development with a
development Travis configuration and another one just for cloning it
and run compliance with official parameters.
However, this can be done in the same repository noting that there are development runs (they will not notify nor push any evidence to the evidence collector repository) and official runs (which will send notifications and push evidences to Git).
Travis artifacts¶
This is a typical .travis.yml file:
language: python
python:
- "3.7"
install:
- pip install -r requirements.txt
script:
- make clean
- ./travis/run.sh
Basically, this will firstly install the dependencies through
pip install -r requirements.txt and then generate the credentials file from
using Travis environment variables.
Credentials¶
The recommended way to use credentials in a CI job is to export them as environment variables. Auditree will automatically parsed the environment variables available to the process and make them available to the fetchers if they follow a specific structure.
For more information on how to do this, have a look to the Credentials section.
travis/run.sh¶
Travis will call this script in two different ways:
As part of a change in the repo, so it would be considered a development run.
A call through Travis API, made by a cron job (or a robot) periodically. This will be considered the official run.
This is an example of a travis/run.sh file:
#!/bin/bash
NON_OFFICIAL="--evidence no-push --notify stdout"
OFFICIAL="--evidence full-remote --notify slack"
# is this an official run or not?
if [ "$TRAVIS_BRANCH" == "master" ] && [ -z $TRAVIS_COMMIT_RANGE ]; then
# this is official as it has been run by an external call
OPTIONS="$OFFICIAL"
else
OPTIONS="$NON_OFFICIAL"
fi
# run fetchers
compliance --fetch $OPTIONS -C official.json
# run checks
compliance --check $ACCREDITATIONS $OPTIONS -C official.json
retval=$?
exit $retval
Note that the arguments used in the compliance invocation depend
on whether this is an official run or not. This script assumes you
have stored the official configuration into official.json file:
{
"locker": {
"repo_url": "https://github.com/my-org/my-evidence-repo"
},
"notify": {
"slack": {
"demo.hipaa": ["#security-team", "#hipaa-compliance"],
"demo.soc2": ["#soc2-compliance", "#operations"]
}
}
}