mitre · seanlongcc · Feb 4, 2026 · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,120 @@
+---
+name: CIS OCI Foundations v3.0.0
+
+on:
+  push:
+    branches:
+      - actions
+      - main
+  pull_request:
+
+jobs:
+  my-job:
+    name: Validate Profile
+    runs-on: ubuntu-latest
+    env:
+      INPUT_FILE: example.inputs.yml
+      RESULTS_FILE: oci_results.json
+      THRESHOLD_FILE: example.threshold.yml
+      HEIMDALL_URL: ${{ vars.SAF_HEIMDALL_URL }}
+      OCI_CLI_FINGERPRINT: ${{ secrets.OCI_CLI_FINGERPRINT }}
+      OCI_CLI_USER: ${{ secrets.OCI_CLI_USER }}
+      OCI_CLI_TENANCY: ${{ secrets.OCI_CLI_TENANCY }}
+      OCI_CLI_REGION: ${{ vars.SAF_OCI_CLI_REGION }}
+      OCI_CLI_KEY_CONTENT: ${{ secrets.OCI_CLI_KEY_CONTENT }}
+
+    steps:
+      - name: Install needed packages
+        run: sudo apt-get install -y jq curl
+
+      - name: Install OCI
+        run: |
+          curl -L -o install.sh https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh
+          bash install.sh --accept-all-defaults
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - name: Configure OCI CLI
+        run: |
+          mkdir -p ~/.oci
+          printf "%s" "$OCI_CLI_KEY_CONTENT" > ~/.oci/oci_api_key.pem
+          chmod 600 ~/.oci/oci_api_key.pem
+          cat > ~/.oci/config <<EOF
+          [DEFAULT]
+          user=$OCI_CLI_USER
+          fingerprint=$OCI_CLI_FINGERPRINT
+          tenancy=$OCI_CLI_TENANCY
+          region=$OCI_CLI_REGION
+          key_file=~/.oci/oci_api_key.pem
+          EOF
+          chmod 600 ~/.oci/config
+
+      - name: Verify OCI CLI auth and version
+        run: |
+          set -euo pipefail
+          test -s ~/.oci/config
+          test -s ~/.oci/oci_api_key.pem
+          oci --version
+          oci iam user get --user-id "$OCI_CLI_USER" --raw-output >/dev/null
+
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Clone full repository so we can push
+        run: git fetch --prune --unshallow
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Confirm git commit SHA output
+        run: echo ${{ env.COMMIT_SHORT_SHA }}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.3.0"
+
+      - name: Disable ri and rdoc
+        run: 'echo "gem: --no-document" >> ~/.gemrc'
+
+      - name: Bundle Install
+        run: bundle install
+
+      - name: Installed Inspec
+        run: bundle exec cinc-auditor --version
+
+      - name: Vendor the InSpec Profile
+        run: bundle exec cinc-auditor vendor --overwrite
+
+      - name: Lint the Inspec profile
+        run: bundle exec cinc-auditor check .
+
+      - name: Run the Profile
+        run: |
+          bundle exec cinc-auditor exec . \
+            --input-file="${{ env.INPUT_FILE }}" \
+            --input tenancy_ocid="${{ secrets.OCI_CLI_TENANCY }}" detector_recipe_ocid="${{ secrets.SAF_OCI_DETECTOR_RECIPE_OCID }}" \
+            --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true
+
+      - name: Save Test Result JSON
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          path: |
+            ./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}
+
+      - name: Upload to Heimdall
+        run: |
+          curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations"
+
+      - name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary
+        uses: mitre/saf_action@v1
+        with:
+          command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}"
+
+      - name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold
+        uses: mitre/saf_action@v1
+        with:
+          command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.4
+    hooks:
+      - id: actionlint
diff --git a/Gemfile b/Gemfile
@@ -1,26 +1,11 @@
 # frozen_string_literal: true
 
 source 'https://rubygems.org'
-gem 'berkshelf'
-gem 'highline'
-gem 'kitchen-ansible'
-gem 'kitchen-docker'
-gem 'kitchen-dokken'
-gem 'kitchen-ec2'
-gem 'kitchen-inspec'
-gem 'kitchen-sync'
-gem 'kitchen-vagrant'
-gem 'pry-byebug'
-gem 'rake'
-gem 'rubocop'
-gem 'rubocop-rake'
-gem 'test-kitchen'
-gem 'train-awsssm'
+gem 'syslog'
+gem 'csv'
 
 source 'https://rubygems.cinc.sh/' do
   gem 'chef-config'
   gem 'chef-utils'
   gem 'cinc-auditor-bin'
-  gem 'inspec'
-  gem 'inspec-core'
 end