{"id":238350,"date":"2022-05-13T08:45:00","date_gmt":"2022-05-13T12:45:00","guid":{"rendered":"https:\/\/wordpress-756359-3782526.cloudwaysapps.com\/?p=238350"},"modified":"2025-05-30T07:27:18","modified_gmt":"2025-05-30T07:27:18","slug":"22-05-13-regula","status":"publish","type":"post","link":"https:\/\/www.travis-ci.com\/blog\/22-05-13-regula\/","title":{"rendered":"Travis CI and Regula"},"content":{"rendered":"\n

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy, let\u2019s dig in a bit deeper and see how we can make this integrate with Travis CI.<\/p>\n\n\n\n

Regula + Travis CI<\/h2>\n\n\n\n

We\u2019re gonna get Regula up and running, with something I thought of which is using a mock_key.json<\/code> file I created, this is so you can sample it first, once you get a final main.tf<\/code> (Terraform), you can edit as you please. Once Terraform calls Regula then Travis picks up the \/POST and sees if it gets a response from Regula. This is a working example, and Travis is in my opinion the easiest development tool, to set Regula up on and get up and running with max uptime.<\/p>\n\n\n\n

Terraform<\/h2>\n\n\n\n

We can grab Terraform by putting this in our script<\/code> hook in our travis.yml<\/code> file:<\/p>\n\n\n\n

curl -fsSL https:\/\/apt.releases.hashicorp.com\/gpg | sudo apt-key add -\nsudo apt-add-repository \"deb [arch=amd64] https:\/\/apt.releases.hashicorp.com $(lsb_release -cs) main\"\nsudo apt-get update && sudo apt-get install terraform<\/code><\/pre>\n\n\n\n
Kubernetes<\/h2>\n\n\n\n
There is a compliant Kubernetes pod in this repo I\u2019ve also banged out, since we\u2019re using Travis there\u2019s not alot<\/em> of need for it, but I\u2019m just trying to give you the most feasible option.<\/p>\n\n\n\n
Swagger<\/h2>\n\n\n\n
There\u2019s a full swagger.yaml<\/code> file within the repository.<\/p>\n\n\n\n
Travis CI<\/h2>\n\n\n\n
All of the .travis.yml<\/code> file below was made by me (Montana Mendy). Just some crucial points to go over for the .travis.yml<\/code>:<\/p>\n\n\n\n
group: edge\nbranches:\n  only:\n    - master\n    - \/^(cherry-pick-)?backport-\\d+-to-\/\naddons:\n  apt:\n    packages:\n      - moreutils\nenv:\n  global:\n    - 'PATH=\"$HOME\/.local\/bin:$PATH\"'\n    - REGULA_VERSION=1.6.0\ninstall:\n  - >-\n    if [[ \"${TRAVIS_COMMIT_MESSAGE}\" = *\"[Build latest]\"* ]]; then export\n    BUILD_VERSION=\"$(cat packaging\/version | cut -d'-' -f1,2 | sed -e\n    's\/-\/.\/g').latest\"; fi;\nbefore_script:\n  - mkdir \"$HOME\/.local\/bin\"\n  - >-\n    curl -L\n    \"https:\/\/github.com\/fugue\/regula\/releases\/download\/v${REGULA_VERSION}\/regula_${REGULA_VERSION}_Linux_x86_64.tar.gz\"\n    | tar -xvz -C \"$HOME\/.local\/bin\"\n  - 'RANGE1=`echo \"$TRAVIS_COMMIT_RANGE\" | awk ''{n=split($1,a,\".\");print a[1]}''`'\nscript:\n  - REGULA_OUTPUT=\"$(mktemp)\"\n  - (regula run -f json || true) | tee \"$REGULA_OUTPUT\"\n  - REGULA_RULES_PASSED=\"$(jq -r '.summary.rule_results.PASS' \"$REGULA_OUTPUT\")\"\n  - REGULA_RULES_FAILED=\"$(jq -r '.summary.rule_results.FAIL' \"$REGULA_OUTPUT\")\"\n  - regula -v\n  - regula init\n  - regula run\n  - regula run --format table\n  - >-\n    echo \"${REGULA_RULES_PASSED} rules passed, ${REGULA_RULES_FAILED} rules\n    failed\" >&2\n  - 'if [[ \"$REGULA_RULES_FAILED\" -gt 0 ]]; then exit 1; fi'\n  - curl -fsSL https:\/\/apt.releases.hashicorp.com\/gpg | sudo apt-key add -\n  - sudo apt-add-repository \"deb [arch=amd64] https:\/\/apt.releases.hashicorp.com $(lsb_release -cs) main\"\n  - sudo apt-get update && sudo apt-get install terraform\n  - terraform -v\nafter_deploy:\n  - >-\n    if [ -n \"${BUILDER_NAME}\" ]; then rm -rf \/home\/${BUILDER_NAME}\/* && echo\n    \"Cleared \/home\/${BUILDER_NAME} directory\" || echo \"Failed to clean\n    \/home\/${BUILDER_NAME} directory\"; fi;\n  - 'if [ -d \"${PACKAGES_DIRECTORY}\" ]; then rm -rf \"${PACKAGES_DIRECTORY}\"; fi;'\n  - >-\n    if: \"((branch IN (master, develop) && type = push) OR branch =~ \/.*env.*\/ OR\n    commit_message =~ \/\\\\[recreate env\\\\]\/) AND commit_message !~ \/\\\\[delete\n    env\\\\]\/ AND type != cron AND commit_message !~ \/\\\\[execute .*. test\\\\]\/ AND\n    commit_message !~ \/\\\\[start recreate scheduler\\\\]\/\"<\/code><\/pre>\n\n\n\n
We are going to change the PATH<\/code> and use cURL<\/code> to fetch the latest version of Regula, make sure you have it by going to https:\/\/regula.dev\/. You can also make sure by running:<\/p>\n\n\n\n
regula version<\/code><\/pre>\n\n\n\n
In the CLI, but it will print out something like this:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If the regula<\/code> command isn\u2019t working you need to install Regula and the binary. Make sure you run the following:<\/p>\n\n\n\n
brew tap fugue\/regula<\/code><\/pre>\n\n\n\n
Once brew has symlinked fugue\/regula<\/code>, you can now start the install process:<\/p>\n\n\n\n
brew install regula<\/code><\/pre>\n\n\n\n
If you want to upgrade regula, just run:<\/p>\n\n\n\n
brew upgrade regula<\/code><\/pre>\n\n\n\n
You\u2019ll also notice we used cURL<\/code> to grab Terraform via:<\/p>\n\n\n\n
script:\n  - curl -fsSL https:\/\/apt.releases.hashicorp.com\/gpg | sudo apt-key add -\n  - sudo apt-add-repository \"deb [arch=amd64] https:\/\/apt.releases.hashicorp.com $(lsb_release -cs) main\"\n  - sudo apt-get update && sudo apt-get install terraform\n  - terraform -v<\/code><\/pre>\n\n\n\n
Running Regula with a config file<\/h2>\n\n\n\n
You\u2019ll want to pull up your CLI, make sure you have a directory named \/infra_tf<\/code>, and run:<\/p>\n\n\n\n
regula run -f json --include example_custom_rule --include config.rego infra_tf<\/code><\/pre>\n\n\n\n
The output should be something like this:<\/p>\n\n\n\n
 {\n      \"controls\": [\n        \"CIS-Kubernetes_v1.6.1_5.1.6\"\n      ],\n      \"filepath\": \"pod-compliant.yaml\",\n      \"input_type\": \"k8s\",\n      \"provider\": \"kubernetes\",\n      \"resource_id\": \"Pod.default.hello\",\n      \"resource_type\": \"Pod\",\n      \"rule_description\": \"Service account 'automountServiceAccountToken' should be set to 'false'. Avoid automounting service account tokens. Service account tokens are used to authenticate requests from in-cluster processes to the Kubernetes API server. Many workloads do not need to communicate with the API server and hence should have automountServiceAccountToken set to false.\",\n      \"rule_id\": \"FG_R00484\",\n      \"rule_message\": \"\",\n      \"rule_name\": \"k8s_service_account_tokens\",\n      \"rule_result\": \"PASS\",\n      \"rule_severity\": \"Medium\",\n      \"rule_summary\": \"Service account 'automountServiceAccountToken' should be set to 'false'\",\n      \"source_location\": [\n        {\n          \"path\": \"pod-compliant.yaml\",\n          \"line\": 1,\n          \"column\": 1\n        }\n      ]\n    }\n  \"summary\": {\n    \"filepaths\": [\n      \"pod-compliant.yaml\"\n    ],\n    \"rule_results\": {\n      \"FAIL\": 0,\n      \"PASS\": 14,\n      \"WAIVED\": 0\n    },\n    \"severities\": {\n      \"Critical\": 0,\n      \"High\": 0,\n      \"Informational\": 0,\n      \"Low\": 0,\n      \"Medium\": 0,\n      \"Unknown\": 0\n    }\n  }<\/code><\/pre>\n\n\n\n
Depending on the policies, enforcements you\u2019ve set it will look different. Now let\u2019s make sure in Travis CI if our pods are compliant:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
They certainly seem to be, now we can move on!<\/p>\n\n\n\n
Usage<\/h2>\n\n\n\n
The usage does get pretty complex from the Regula side – I\u2019ve been thinking about writing a bash script to help users and make it easier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
Here\u2019s my repository for the integration<\/a>, as always I try and make as much of my code as open source as possible. As always, if you have any questions, please email me at montana@travis-ci.org<\/a> for help.<\/p>\n\n\n\n
Happy building!<\/p>\n","protected":false},"excerpt":{"rendered":"
Regula checks infrastructure as code templates for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy. Now, you can integrate this with Travis CI.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_breakdance_hide_in_design_set":false,"_breakdance_tags":"","footnotes":""},"categories":[16],"tags":[7,19,20,5],"class_list":["post-238350","post","type-post","status-publish","format-standard","hentry","category-news","tag-community","tag-feature","tag-infrastructure","tag-news"],"_links":{"self":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/comments?post=238350"}],"version-history":[{"count":2,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238350\/revisions"}],"predecessor-version":[{"id":241347,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238350\/revisions\/241347"}],"wp:attachment":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/media?parent=238350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/categories?post=238350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/tags?post=238350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}