Skip to content

feat(compliance): integrate compliance-engine-assessor scanning#8910

Draft
robertwoj-microsoft wants to merge 1 commit into
mainfrom
robertwoj/38757454
Draft

feat(compliance): integrate compliance-engine-assessor scanning#8910
robertwoj-microsoft wants to merge 1 commit into
mainfrom
robertwoj/38757454

Conversation

@robertwoj-microsoft

@robertwoj-microsoft robertwoj-microsoft commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Initial integration of the Compliance Engine Assessor which will replace the current scripted CIS Assessor scanning.

PR descript will be extended later after the initial wiring is set up.

Copilot AI review requested due to automatic review settings July 13, 2026 12:32
@robertwoj-microsoft robertwoj-microsoft changed the title feat: Initial compliance scanning integration feat(compliance): Initial compliance scanning integration Jul 13, 2026
@robertwoj-microsoft robertwoj-microsoft changed the title feat(compliance): Initial compliance scanning integration feat(compliance): integrate compliance-engine-assessor scanning Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds initial “shadow” integration of the benchmark-agnostic Compliance Engine Assessor into the VHD scanning flow. This wires the download/staging of the assessor + MOFs on the build agent, runs the assessor on the scan VM alongside the existing CIS-CAT flow, and publishes native JSON outputs as pipeline artifacts (non-blocking).

Changes:

  • Add a non-blocking Compliance Engine scan phase to vhdbuilder/packer/vhd-scanning.sh (runs before CIS-CAT and emits JSON + logs).
  • Introduce an ADO template to download assessor + benchmark MOFs from an Azure Artifacts NuGet feed based on a repo-pinned manifest.
  • Publish Compliance Engine JSON/log outputs as build artifacts for Ubuntu 22.04/24.04 builds.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
vhdbuilder/packer/vhd-scanning.sh Runs the Compliance Engine assessor on the scan VM (shadow mode) and downloads JSON/log outputs for publication.
vhdbuilder/packer/compliance-versions.json Adds PR-gated pins (currently placeholders) for assessor + benchmark packages consumed by the download template.
vhdbuilder/packer/compliance-engine-report.sh New run-command script executed on the scan VM to download assessor+MOF, run audit, and upload JSON/log.
.pipelines/templates/.compliance-engine-scan-template.yaml New shared ADO steps template to download assessor + MOF packages (manifest-driven) onto the build agent.
.pipelines/templates/.builder-release-template.yaml Hooks the new download template into the build and publishes compliance-engine JSON/log artifacts.

Comment on lines +392 to +394
echo "$ret"
msg=$(echo -E "$ret" | jq -r '.value[].message' 2>/dev/null || true)
echo "$msg"
Comment on lines +1 to +3
#!/bin/bash
set -eux

Comment on lines +57 to +60
if [ -z "$AZURE_MSI_RESOURCE_STRING" ]; then
echo "AZURE_MSI_RESOURCE_STRING must be set for az login"
exit 1
fi
Comment on lines +383 to +387
- task: CopyFiles@2
condition: and(eq(variables.OS_SKU, 'Ubuntu'), in(variables.OS_VERSION, '22.04', '24.04'))
continueOnError: true
displayName: Copy Compliance Engine Reports
inputs:
Comment on lines +3 to +7
"assessor": "compliance-engine-assessor@TODO-pin-published-assessor-version",
"benchmarks": {
"ubuntu-22.04-l1": "cis_ubuntu_linux_22.04_lts_benchmark_v2.0.0__level_1__server@TODO-pin-published-version",
"ubuntu-22.04-l2": "cis_ubuntu_linux_22.04_lts_benchmark_v2.0.0__level_2__server@TODO-pin-published-version",
"ubuntu-24.04-l1": "cis_ubuntu_linux_24.04_lts_benchmark_v1.0.0__level_1__server@TODO-pin-published-version",
@aks-node-assistant

Copy link
Copy Markdown
Contributor

AgentBaker Linux gate detective

Run: https://msazure.visualstudio.com/CloudNativeCompute/_build/results?buildId=171985153
Failed job/stage/task: Run AgentBaker E2E / Run AgentBaker E2E, exit code 1.

Detective summary: Ubuntu 22.04 HTTPSProxy PrivateDNS default and scriptless_nbc failed CSE with known transient ERR_OUTBOUND_CONN_FAIL exit 50 twice before VMExtensionProvisioningError; ACL ARM64 also hit pod validation client rate limiter after slow node creation.

Likely cause / signature: E2E infra/environment outbound connectivity flake; wiki signature e2e-httpsproxy-privatedns-err-outbound-conn-fail.

Confidence: High for flaky infra/environment on the HTTPSProxy PrivateDNS failures; medium that ACL ARM64 is an adjacent latency symptom rather than the same root.

Recommended owner/action: Node Lifecycle E2E infra owner should inspect scenario logs for the outbound exit 50 retries and cluster/API latency; no PR author action unless reruns produce deterministic compliance-scanning-specific failures.

Strongest alternative: PR #8910 compliance scanning integration changed image/provisioning behavior; less likely because the log labels exit 50 as a known transient outbound flake and this exact HTTPSProxy PrivateDNS signature already exists in the tracker.

Evidence: build summary, E2E log 571/578, test run 527254252 with 5 failed results, scenario logs scenario-logs-1783949694/Test_Ubuntu2204_HTTPSProxy_PrivateDNS/default and scriptless_nbc, source commit 330a9ca7e740ea6023222c0adfa13cc59e6de3b4.

Wiki signature: �2e-httpsproxy-privatedns-err-outbound-conn-fail

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants