⭐️ use cnspec for policy execution (#48)

- update to go 1.19 - remove dependency on external mondoo binary - switch to use inventory instead of config piping to external binary *cty dependency downgrade* Packer and Terraform use different versions of go cty. The problem is that packer does not work with the latest version of go-cty as documented here: - [hashicorp/packer-plugin-sdk incompatible with zclconf/go-cty v1.11.0 · Issue #134 · zclconf/go-cty · GitHub](zclconf/go-cty#134) - [Upgrade github.com/zclconf/go-cty to v1.11.1 · Issue #12055 · hashicorp/packer · GitHub](hashicorp/packer#12055) - [Upgrade github.com/zclconf/go-cty to v1.11.1 · Issue #135 · hashicorp/packer-plugin-sdk · GitHub](hashicorp/packer-plugin-sdk#135) There are two issues, we cannot bundle both go-cty versions due to the fact that it is not labeled a major change. Out only option to get this working for now is to downgrade cty in cnquery and cnspec. *TODOs* - [x] downgrade cty in cnquery mondoohq/cnquery#499 - [x] downgrade cty in cnspec mondoohq/cnspec#201 - [x] update readme Co-authored-by: Scott Ford <49754039+scottford-io@users.noreply.github.com>
mondoohq · Nov 30, 2022 · 62bd615 · 62bd615
1 parent 1e1650b
commit 62bd615
Show file tree

Hide file tree

Showing 11 changed files with 2,316 additions and 445 deletions.
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -0,0 +1 @@
+tions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,7 +5,8 @@ on:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    timeout-minutes: 120
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -14,14 +15,17 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Cache Go modules
         uses: actions/cache@v2
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
+      - name: "Install required tooling"
+        run: |
+          sudo apt install -y zip
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Cache Go modules
         uses: actions/cache@v2
         with:

diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ HASHICORP_PACKER_PLUGIN_SDK_VERSION?=$(shell go list -m github.com/hashicorp/pac
 .PHONY: dev
 
 build:
-	@go build -o ${BINARY}
+	CGO_ENABLED=0 go build -o ${BINARY} -ldflags="-X go.mondoo.com/packer-plugin-mondoo/version.Version=0.0.0 -X go.mondoo.com/packer-plugin-mondoo/version.Build=dev"
 
 dev: build
 	@mkdir -p ~/.packer.d/plugins/
@@ -17,7 +17,7 @@ dev: build
 test:
 	@go test -race -count $(COUNT) $(TEST) -timeout=3m
 
-install-packer-sdc: ## Install packer sofware development command
+install-packer-sdc: ## Install packer software development command
 	@go install github.com/hashicorp/packer-plugin-sdk/cmd/packer-sdc@${HASHICORP_PACKER_PLUGIN_SDK_VERSION}
 
 ci-release-docs: install-packer-sdc

diff --git a/README.md b/README.md
@@ -1,14 +1,9 @@
-# Packer Plugin Mondoo
+# Packer Plugin for Mondoo cnspec
 
-`Mondoo` scans [Packer](https://www.packer.io) builds for vulnerabilities and misconfigurations by executing security policies-as-code enabled in [Mondoo Platform](https://console.mondoo.com). Mondoo Platform comes stocked with an ever-increasing collection of certified security policies which can be easily customize to meet your needs. 
+Packer plugin [cnspec](https://github.com/mondoohq/cnspec) by [Mondoo](https://mondoo.com) scans Linux and Windows [HashiCorp Packer](https://www.packer.io) builds for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using [cnspec-policies](https://github.com/mondoohq/cnspec-policies) to uncover common misconfigurations that open your hosts to the risk of attack. 
+cnspec supports scanning of Linux, Windows, and macOS, as well as Docker containers.
 
-Mondoo supports scanning of Linux, Windows, and macOS, as well as Docker containers.
-
-## Get Started with Mondoo
-
-If you are new to Mondoo you can get started by [signing up for a free account](https://mondoo.com/docs/tutorials/mondoo/account-setup/) today!
-
-## Packer Plugin Mondoo tutorial
+## Get Started
 
 Check out the [Building secure AMIs with Mondoo and Packer](https://mondoo.com/docs/tutorials/aws/build-secure-amis-packer/) tutorial on the Mondoo documentation site.
 
@@ -23,7 +18,7 @@ To install this plugin, copy and paste this code into your Packer configuration
 packer {
   required_plugins {
     mondoo = {
-      version = ">= 0.4.0"
+      version = ">= 0.6.0"
       source  = "github.com/mondoohq/mondoo"
     }
   }
@@ -41,6 +36,8 @@ Once you have downloaded the latest archive corresponding to your target OS, unc
 
 If you prefer to build the plugin from sources, clone the GitHub repository locally and run the command `go build` from the root directory. Upon successful compilation, a `packer-plugin-mondoo` plugin binary file can be found in the root directory. To install the compiled plugin, please follow the official Packer documentation on [installing a plugin](https://www.packer.io/docs/extending/plugins/#installing-plugins).
 
+By using `make dev`, the binary is copied into `~/.packer.d/plugins/` after the build.
+
 ## Configuration
 
 | **Name** | **Description** | **Type** | **Default** | **Required** |
@@ -56,19 +53,17 @@ If you prefer to build the plugin from sources, clone the GitHub repository loca
 ### Example: Complete Configuration
 
 ```hcl
-  provisioner "mondoo" {
-    on_failure      = "continue"
-    mondoo_config_path = "/etc/mondoo-config.json"
-    score_threshold = 85
-    asset_name      = "example-secure-base-image"
-    sudo {
-      active = true
-    }
+provisioner "mondoo" {
+  on_failure      = "continue"
+  score_threshold = 85
+  asset_name      = "example-secure-base-image"
+  sudo {
+    active = true
+  }
 
-    annotations = {
-      Source_AMI    = "{{ .SourceAMI }}"
-      Creation_Date = "{{ .SourceAMICreationDate }}"
-    }
+  annotations = {
+    Source_AMI    = "{{ .SourceAMI }}"
+    Creation_Date = "{{ .SourceAMICreationDate }}"
   }
 }
 ```
@@ -77,6 +72,10 @@ If you prefer to build the plugin from sources, clone the GitHub repository loca
 
 You can find example Packer templates in the [examples](/examples/) directory in this repository.
 
+## Get Started with cnspec
+
+If you want to use cnspec outside of packer, you can [get started](https://mondoo.com/docs/cnspec/) today!
+
 ## Contributing
 
 * If you think you've found a bug in the code or you have a question regarding

diff --git a/docs-partials/provisioner/Config-not-required.mdx b/docs-partials/provisioner/Config-not-required.mdx
@@ -29,8 +29,6 @@
 - `asset_name` (string) - The asset name passed to Mondoo Platform. Defaults to the hostname
   of the instance.
 
-- `mondoo_env_vars` ([]string) - Array of environment variables for configuring Mondoo.
-
 - `on_failure` (string) - Configure behavior whether packer should fail if `scan_threshold` is
   not met. If `scan_threshold` configuration is omitted, the threshold
   is set to `0` and builds will pass regardless of what score is