fixes

elastic · Mar 12, 2024 · 0ec7e95 · 0ec7e95
1 parent af93c7f
commit 0ec7e95
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/.github/workflows/sync-rule-templates.yml b/.github/workflows/sync-rule-templates.yml
@@ -10,8 +10,8 @@ on:
  branches:
  - main
  paths:
- # only run when metadata failed not when the rule is updated
- - "security-policies/**"
+ # run when a rule metadata is updated
+ - "security-policies/bundle/compliance/**/rules/**/data.yaml"
 
 env:
  GITHUB_TOKEN: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }}

diff --git a/scripts/sync_rule_templates.sh b/scripts/sync_rule_templates.sh
@@ -11,21 +11,29 @@ templates_path="packages/cloud_security_posture/kibana/csp_rule_template"
 manifest_path="packages/cloud_security_posture/manifest.yml"
 changelog_path="packages/cloud_security_posture/changelog.yml"
 
+# get new or existing sync-cis-rule-templates branch
 cd ../integrations
 if git fetch origin main "$branch_name" &>/dev/null; then
  git checkout "$branch_name"
 else
  git checkout -b "$branch_name" origin/main
 fi
+
+# avoid rebase conflicts in manifest/changelog files and rule templates
 git checkout origin/main -- "$manifest_path" "$changelog_path"
 git rebase origin/main
+
+# run the script to generate the rule templates
 cd ../cloudbeat
 poetry run -C security-policies python security-policies/dev/generate_rule_templates.py
+
+# commit and push the changes
 cd ../integrations
 git add "$templates_path"
 git commit -m "Sync CIS rule templates"
 git push origin "$branch_name" -f
 
+# create a PR if it doesn't exist and assign labels
 if [[ -z "$pr_number" ]]; then
  pr=$(gh api \
  --method POST \
@@ -49,6 +57,7 @@ fi
 
 # TODO: update manifest.yml and changelog.yml
 
+# create PR body
 pr_url=$(gh api $repo/pulls -q ".[] | select(.head.ref == \"$branch_name\" and .state == \"open\") | .html_url")
 rows="$(git diff --name-only origin/main -- "$templates_path" | while read -r file; do jq --arg a "$pr_url/files#diff-$(echo -n "$file" | openssl dgst -sha256 | awk '{print $2}')" -r '.attributes.metadata.benchmark | "\(.id): \(.rule_number): \($a)"' "$file"; done | awk '{split($0, a, ": "); b[a[1]] = (b[a[1]] == "" ? "" : b[a[1]] ", ") "["a[2]"]""("a[3]")"} END {for (i in b) printf("| %s | %s |\n", i, b[i])}')"
 body=$(
@@ -60,6 +69,7 @@ $rows
 EOF
 )
 
+# update PR body
 gh api \
  --method PATCH \
  -H "Accept: application/vnd.github+json" \