From 8b99fa756b98ae08b407355f878f63c4f20c9abf Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 29 Aug 2022 16:05:32 +0300 Subject: [PATCH 01/35] adding account ID support --- action.yml | 11 +++++++---- entrypoint.sh | 3 ++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index ef38f03..5caa015 100644 --- a/action.yml +++ b/action.yml @@ -13,8 +13,6 @@ inputs: -o, --output - Output file. Print output to file and not stdout --exceptions - Path to an exceptions object file -s, --silent - Silent progress messages - --verbose - Display all of the input resources and not only - failed resources --logger - Logger level. Supported: debug/info/success/warning/ error/fatal (default "info") required: false @@ -22,12 +20,17 @@ inputs: description: | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) - default: 0 + default: "0" required: false files: description: | Path to the configuration yaml to scan - required: true + required: false + default: "." + account: + description: | + Kubescape cloud account ID + required: false framework: description: | List of all frameworks to scan. Run kubescape list frameworks with diff --git a/entrypoint.sh b/entrypoint.sh index 748f175..09fdecb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -23,8 +23,9 @@ fi FRAMEWORK_CMD=$([ ! -z "$INPUT_FRAMEWORK" ] && echo "framework $INPUT_FRAMEWORK" || echo "") CONTROL_CMD=$([ ! -z "$INPUT_CONTROL" ] && echo control $CONTROLS || echo "") +ACCOUNT_ID=$([ ! -z "$ACCOUNT_ID" ] && echo control $ACCOUNT_ID || echo "") -COMMAND="kubescape scan $FRAMEWORK_CMD $CONTROL_CMD $INPUT_FILES --fail-threshold $INPUT_THRESHOLD $INPUT_ARGS" +COMMAND="kubescape scan $FRAMEWORK_CMD $CONTROL_CMD $INPUT_FILES --fail-threshold $INPUT_THRESHOLD $INPUT_ARGS --account $ACCOUNT_ID --verbose" eval $COMMAND From 4882747f7d6ba3aacf4665432498b56217287316 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 29 Aug 2022 16:05:45 +0300 Subject: [PATCH 02/35] Adding example --- .github/workflows/example.yaml | 14 ++ examples/kubernetes-manifests/README.md | 8 ++ examples/kubernetes-manifests/adservice.yaml | 85 ++++++++++++ .../kubernetes-manifests/cartservice.yaml | 78 +++++++++++ .../kubernetes-manifests/checkoutservice.yaml | 94 +++++++++++++ .../kubernetes-manifests/currencyservice.yaml | 82 ++++++++++++ .../kubernetes-manifests/emailservice.yaml | 81 ++++++++++++ examples/kubernetes-manifests/frontend.yaml | 125 ++++++++++++++++++ .../kubernetes-manifests/loadgenerator.yaml | 75 +++++++++++ .../kubernetes-manifests/paymentservice.yaml | 81 ++++++++++++ .../productcatalogservice.yaml | 83 ++++++++++++ .../recommendationservice.yaml | 85 ++++++++++++ examples/kubernetes-manifests/redis.yaml | 78 +++++++++++ .../kubernetes-manifests/shippingservice.yaml | 83 ++++++++++++ 14 files changed, 1052 insertions(+) create mode 100644 .github/workflows/example.yaml create mode 100644 examples/kubernetes-manifests/README.md create mode 100644 examples/kubernetes-manifests/adservice.yaml create mode 100644 examples/kubernetes-manifests/cartservice.yaml create mode 100644 examples/kubernetes-manifests/checkoutservice.yaml create mode 100644 examples/kubernetes-manifests/currencyservice.yaml create mode 100644 examples/kubernetes-manifests/emailservice.yaml create mode 100644 examples/kubernetes-manifests/frontend.yaml create mode 100644 examples/kubernetes-manifests/loadgenerator.yaml create mode 100644 examples/kubernetes-manifests/paymentservice.yaml create mode 100644 examples/kubernetes-manifests/productcatalogservice.yaml create mode 100644 examples/kubernetes-manifests/recommendationservice.yaml create mode 100644 examples/kubernetes-manifests/redis.yaml create mode 100644 examples/kubernetes-manifests/shippingservice.yaml diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml new file mode 100644 index 0000000..796b616 --- /dev/null +++ b/.github/workflows/example.yaml @@ -0,0 +1,14 @@ +name: Example +on: [push, pull_request] + +jobs: + kubescape-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: kubescape/kubescape-action@main + with: + threshold: "50" + account: ${{ github.KUBESCAPE_ACCOUNT }} + + diff --git a/examples/kubernetes-manifests/README.md b/examples/kubernetes-manifests/README.md new file mode 100644 index 0000000..ed852b7 --- /dev/null +++ b/examples/kubernetes-manifests/README.md @@ -0,0 +1,8 @@ +# ./kubernetes-manifests + +:warning: Kubernetes manifests provided in this directory are not directly +deployable to a cluster. They are meant to be used with `skaffold` command to +insert the correct `image:` tags. + +Use the manifests in [/release](/release) directory which are configured with +pre-built public images. diff --git a/examples/kubernetes-manifests/adservice.yaml b/examples/kubernetes-manifests/adservice.yaml new file mode 100644 index 0000000..32ab46d --- /dev/null +++ b/examples/kubernetes-manifests/adservice.yaml @@ -0,0 +1,85 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adservice +spec: + selector: + matchLabels: + app: adservice + template: + metadata: + labels: + app: adservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: adservice + ports: + - containerPort: 9555 + env: + - name: PORT + value: "9555" + - name: DISABLE_STATS + value: "1" + - name: DISABLE_TRACING + value: "1" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] +--- +apiVersion: v1 +kind: Service +metadata: + name: adservice +spec: + type: ClusterIP + selector: + app: adservice + ports: + - name: grpc + port: 9555 + targetPort: 9555 diff --git a/examples/kubernetes-manifests/cartservice.yaml b/examples/kubernetes-manifests/cartservice.yaml new file mode 100644 index 0000000..498e464 --- /dev/null +++ b/examples/kubernetes-manifests/cartservice.yaml @@ -0,0 +1,78 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cartservice +spec: + selector: + matchLabels: + app: cartservice + template: + metadata: + labels: + app: cartservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: cartservice + ports: + - containerPort: 7070 + env: + - name: REDIS_ADDR + value: "redis-cart:6379" + resources: + requests: + cpu: 200m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + readinessProbe: + initialDelaySeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] +--- +apiVersion: v1 +kind: Service +metadata: + name: cartservice +spec: + type: ClusterIP + selector: + app: cartservice + ports: + - name: grpc + port: 7070 + targetPort: 7070 diff --git a/examples/kubernetes-manifests/checkoutservice.yaml b/examples/kubernetes-manifests/checkoutservice.yaml new file mode 100644 index 0000000..3658505 --- /dev/null +++ b/examples/kubernetes-manifests/checkoutservice.yaml @@ -0,0 +1,94 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkoutservice +spec: + selector: + matchLabels: + app: checkoutservice + template: + metadata: + labels: + app: checkoutservice + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: checkoutservice + ports: + - containerPort: 5050 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + env: + - name: PORT + value: "5050" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: PAYMENT_SERVICE_ADDR + value: "paymentservice:50051" + - name: EMAIL_SERVICE_ADDR + value: "emailservice:5000" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: DISABLE_STATS + value: "1" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: checkoutservice +spec: + type: ClusterIP + selector: + app: checkoutservice + ports: + - name: grpc + port: 5050 + targetPort: 5050 diff --git a/examples/kubernetes-manifests/currencyservice.yaml b/examples/kubernetes-manifests/currencyservice.yaml new file mode 100644 index 0000000..e598ad3 --- /dev/null +++ b/examples/kubernetes-manifests/currencyservice.yaml @@ -0,0 +1,82 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: currencyservice +spec: + selector: + matchLabels: + app: currencyservice + template: + metadata: + labels: + app: currencyservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: currencyservice + ports: + - name: grpc + containerPort: 7000 + env: + - name: PORT + value: "7000" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + - name: DISABLE_DEBUGGER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: currencyservice +spec: + type: ClusterIP + selector: + app: currencyservice + ports: + - name: grpc + port: 7000 + targetPort: 7000 diff --git a/examples/kubernetes-manifests/emailservice.yaml b/examples/kubernetes-manifests/emailservice.yaml new file mode 100644 index 0000000..18247e5 --- /dev/null +++ b/examples/kubernetes-manifests/emailservice.yaml @@ -0,0 +1,81 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailservice +spec: + selector: + matchLabels: + app: emailservice + template: + metadata: + labels: + app: emailservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: emailservice + ports: + - containerPort: 8080 + env: + - name: PORT + value: "8080" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: emailservice +spec: + type: ClusterIP + selector: + app: emailservice + ports: + - name: grpc + port: 5000 + targetPort: 8080 diff --git a/examples/kubernetes-manifests/frontend.yaml b/examples/kubernetes-manifests/frontend.yaml new file mode 100644 index 0000000..c08341c --- /dev/null +++ b/examples/kubernetes-manifests/frontend.yaml @@ -0,0 +1,125 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: frontend + ports: + - containerPort: 8080 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-readiness-probe" + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-liveness-probe" + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: RECOMMENDATION_SERVICE_ADDR + value: "recommendationservice:8080" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: CHECKOUT_SERVICE_ADDR + value: "checkoutservice:5050" + - name: AD_SERVICE_ADDR + value: "adservice:9555" + # # ENV_PLATFORM: One of: local, gcp, aws, azure, onprem, alibaba + # # When not set, defaults to "local" unless running in GKE, otherwies auto-sets to gcp + # - name: ENV_PLATFORM + # value: "aws" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + # - name: CYMBAL_BRANDING + # value: "true" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend +spec: + type: ClusterIP + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-external +spec: + type: LoadBalancer + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 diff --git a/examples/kubernetes-manifests/loadgenerator.yaml b/examples/kubernetes-manifests/loadgenerator.yaml new file mode 100644 index 0000000..610f902 --- /dev/null +++ b/examples/kubernetes-manifests/loadgenerator.yaml @@ -0,0 +1,75 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loadgenerator +spec: + selector: + matchLabels: + app: loadgenerator + replicas: 1 + template: + metadata: + labels: + app: loadgenerator + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + restartPolicy: Always + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - command: + - /bin/sh + - -exc + - | + echo "Init container pinging frontend: ${FRONTEND_ADDR}..." + STATUSCODE=$(wget --server-response http://${FRONTEND_ADDR} 2>&1 | awk '/^ HTTP/{print $2}') + if test $STATUSCODE -ne 200; then + echo "Error: Could not reach frontend - Status code: ${STATUSCODE}" + exit 1 + fi + name: frontend-check + image: busybox:latest + env: + - name: FRONTEND_ADDR + value: "frontend:80" + containers: + - name: main + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: loadgenerator + env: + - name: FRONTEND_ADDR + value: "frontend:80" + - name: USERS + value: "10" + resources: + requests: + cpu: 300m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi diff --git a/examples/kubernetes-manifests/paymentservice.yaml b/examples/kubernetes-manifests/paymentservice.yaml new file mode 100644 index 0000000..3c6f4f0 --- /dev/null +++ b/examples/kubernetes-manifests/paymentservice.yaml @@ -0,0 +1,81 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paymentservice +spec: + selector: + matchLabels: + app: paymentservice + template: + metadata: + labels: + app: paymentservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: paymentservice + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + - name: DISABLE_DEBUGGER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: paymentservice +spec: + type: ClusterIP + selector: + app: paymentservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 diff --git a/examples/kubernetes-manifests/productcatalogservice.yaml b/examples/kubernetes-manifests/productcatalogservice.yaml new file mode 100644 index 0000000..f8b298d --- /dev/null +++ b/examples/kubernetes-manifests/productcatalogservice.yaml @@ -0,0 +1,83 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productcatalogservice +spec: + selector: + matchLabels: + app: productcatalogservice + template: + metadata: + labels: + app: productcatalogservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: productcatalogservice + ports: + - containerPort: 3550 + env: + - name: PORT + value: "3550" + - name: DISABLE_STATS + value: "1" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: productcatalogservice +spec: + type: ClusterIP + selector: + app: productcatalogservice + ports: + - name: grpc + port: 3550 + targetPort: 3550 diff --git a/examples/kubernetes-manifests/recommendationservice.yaml b/examples/kubernetes-manifests/recommendationservice.yaml new file mode 100644 index 0000000..62bccf5 --- /dev/null +++ b/examples/kubernetes-manifests/recommendationservice.yaml @@ -0,0 +1,85 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendationservice +spec: + selector: + matchLabels: + app: recommendationservice + template: + metadata: + labels: + app: recommendationservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: recommendationservice + ports: + - containerPort: 8080 + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + - name: DISABLE_DEBUGGER + value: "1" + resources: + requests: + cpu: 100m + memory: 220Mi + limits: + cpu: 200m + memory: 450Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: recommendationservice +spec: + type: ClusterIP + selector: + app: recommendationservice + ports: + - name: grpc + port: 8080 + targetPort: 8080 diff --git a/examples/kubernetes-manifests/redis.yaml b/examples/kubernetes-manifests/redis.yaml new file mode 100644 index 0000000..455a599 --- /dev/null +++ b/examples/kubernetes-manifests/redis.yaml @@ -0,0 +1,78 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: redis + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: tls-redis + port: 6379 + targetPort: 6379 diff --git a/examples/kubernetes-manifests/shippingservice.yaml b/examples/kubernetes-manifests/shippingservice.yaml new file mode 100644 index 0000000..5f3834e --- /dev/null +++ b/examples/kubernetes-manifests/shippingservice.yaml @@ -0,0 +1,83 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shippingservice +spec: + selector: + matchLabels: + app: shippingservice + template: + metadata: + labels: + app: shippingservice + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: shippingservice + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + - name: DISABLE_STATS + value: "1" + - name: DISABLE_TRACING + value: "1" + - name: DISABLE_PROFILER + value: "1" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: shippingservice +spec: + type: ClusterIP + selector: + app: shippingservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 From 814bbd18231d6d2bbbee86be4f78fccf775b3ba4 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Tue, 30 Aug 2022 17:17:48 +0300 Subject: [PATCH 03/35] gh doc example --- .github/workflows/example.yaml | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 796b616..5eede5c 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,14 +1,27 @@ name: Example on: [push, pull_request] - + jobs: - kubescape-scan: + nsa-security-check: runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v3 - - uses: kubescape/kubescape-action@main - with: - threshold: "50" - account: ${{ github.KUBESCAPE_ACCOUNT }} + - name: Checkout + uses: actions/checkout@v2 + + - name: Install Kubescape + run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash + + - name: Scan YAML files + run: kubescape scan framework nsa *.yaml +# jobs: +# kubescape-scan: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - uses: kubescape/kubescape-action@main +# with: +# threshold: "50" +# account: ${{ github.KUBESCAPE_ACCOUNT }} From 8288bc69d33d55c47fcfa70374d859769b4bef06 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Tue, 30 Aug 2022 17:20:52 +0300 Subject: [PATCH 04/35] use avinash actions --- .github/workflows/example.yaml | 38 +++++++++++++++++----------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 5eede5c..71d92a8 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,27 +1,27 @@ name: Example on: [push, pull_request] -jobs: - nsa-security-check: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Install Kubescape - run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash - - - name: Scan YAML files - run: kubescape scan framework nsa *.yaml # jobs: -# kubescape-scan: +# nsa-security-check: # runs-on: ubuntu-latest + # steps: -# - uses: actions/checkout@v3 -# - uses: kubescape/kubescape-action@main -# with: -# threshold: "50" -# account: ${{ github.KUBESCAPE_ACCOUNT }} +# - name: Checkout +# uses: actions/checkout@v2 + +# - name: Install Kubescape +# run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash + +# - name: Scan YAML files +# run: kubescape scan framework nsa *.yaml +jobs: + kubescape-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: avinashupadhya99/kubescape-action@main + with: + threshold: "50" + account: ${{ github.KUBESCAPE_ACCOUNT }} From 495e675d2f009b119d532d0396f9e586cf602903 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Tue, 30 Aug 2022 17:22:12 +0300 Subject: [PATCH 05/35] comment out account --- .github/workflows/example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 71d92a8..2726ffe 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -22,6 +22,6 @@ jobs: - uses: avinashupadhya99/kubescape-action@main with: threshold: "50" - account: ${{ github.KUBESCAPE_ACCOUNT }} + # account: ${{ github.KUBESCAPE_ACCOUNT }} From 6eb3f645e9d2c3c38de80c3affa3e6fa9e2d8d13 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 8 Sep 2022 15:20:08 +0300 Subject: [PATCH 06/35] testing examples --- .github/workflows/example.yaml | 54 ++++++++++++++++++++++------------ res.xml | 21 +++++++++++++ 2 files changed, 57 insertions(+), 18 deletions(-) create mode 100644 res.xml diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 2726ffe..e6d2e9c 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,27 +1,45 @@ -name: Example -on: [push, pull_request] +# name: Example +# on: [push, pull_request] +# # jobs: +# # nsa-security-check: +# # runs-on: ubuntu-latest + +# # steps: +# # - name: Checkout +# # uses: actions/checkout@v2 + +# # - name: Install Kubescape +# # run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash + +# # - name: Scan YAML files +# # run: kubescape scan framework nsa *.yaml # jobs: -# nsa-security-check: +# kubescape-scan: # runs-on: ubuntu-latest - # steps: -# - name: Checkout -# uses: actions/checkout@v2 +# - uses: actions/checkout@v3 +# - uses: avinashupadhya99/kubescape-action@main +# with: +# threshold: "50" +# # account: ${{ github.KUBESCAPE_ACCOUNT }} + + +name: kubescape-scan + +on: + push: -# - name: Install Kubescape -# run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash - -# - name: Scan YAML files -# run: kubescape scan framework nsa *.yaml jobs: - kubescape-scan: + junit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: avinashupadhya99/kubescape-action@main + - uses: actions/checkout@master + - name: Publish Unit Test Results + uses: mikepenz/action-junit-report@v3 + if: always() with: - threshold: "50" - # account: ${{ github.KUBESCAPE_ACCOUNT }} - - + report_paths: "*.xml" + require_tests: false + fail_on_failure: false + detailed_summary: true \ No newline at end of file diff --git a/res.xml b/res.xml new file mode 100644 index 0000000..81bdad6 --- /dev/null +++ b/res.xml @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From a3a4457785270db94ed575d318b19cb8ab363bff Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 8 Sep 2022 15:41:50 +0300 Subject: [PATCH 07/35] fixed control ID --- res.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/res.xml b/res.xml index 81bdad6..7813413 100644 --- a/res.xml +++ b/res.xml @@ -9,12 +9,13 @@ + - + - + From 7839800426c65e40e22a734cc0153c3e2ce6c12f Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 8 Sep 2022 15:42:45 +0300 Subject: [PATCH 08/35] fixed checkout --- .github/workflows/example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index e6d2e9c..5861e8c 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -34,7 +34,7 @@ jobs: junit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v3 - name: Publish Unit Test Results uses: mikepenz/action-junit-report@v3 if: always() From 0ff73337247ebee4f312cabeda84be620cbbeff2 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 8 Sep 2022 16:27:47 +0300 Subject: [PATCH 09/35] use single file --- res.xml | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/res.xml b/res.xml index 7813413..dc9dc08 100644 --- a/res.xml +++ b/res.xml @@ -1,22 +1,10 @@ - - - - + + + + + + + - - - - - - - - - - - - - - - \ No newline at end of file From 5d5b39cf99a6fa76388912eb97a30603b9bbdca6 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 14:39:38 +0300 Subject: [PATCH 10/35] Support non-root user --- Dockerfile | 5 ++--- entrypoint.sh | 9 +++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8db31e3..4f6fef2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,5 @@ FROM quay.io/armosec/kubescape -USER root -ADD entrypoint.sh /entrypoint.sh +COPY --chown=armo:armo entrypoint.sh entrypoint.sh -ENTRYPOINT ["/entrypoint.sh"] +ENTRYPOINT ["./entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh index 09fdecb..9386ca9 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -23,9 +23,14 @@ fi FRAMEWORK_CMD=$([ ! -z "$INPUT_FRAMEWORK" ] && echo "framework $INPUT_FRAMEWORK" || echo "") CONTROL_CMD=$([ ! -z "$INPUT_CONTROL" ] && echo control $CONTROLS || echo "") -ACCOUNT_ID=$([ ! -z "$ACCOUNT_ID" ] && echo control $ACCOUNT_ID || echo "") +ACCOUNT_ID=$([ ! -z "$ACCOUNT_ID" ] && echo --account $ACCOUNT_ID || echo "") +INPUT_THRESHOLD=$([ ! -z "$INPUT_THRESHOLD" ] && echo --fail-threshold $INPUT_THRESHOLD || echo "") -COMMAND="kubescape scan $FRAMEWORK_CMD $CONTROL_CMD $INPUT_FILES --fail-threshold $INPUT_THRESHOLD $INPUT_ARGS --account $ACCOUNT_ID --verbose" +OUTPUT_FILE="results.xml" +OUTPUT_FORMAT="junit" +COMMAND="kubescape scan --output=$OUTPUT_FILE --format=$OUTPUT_FORMAT $FRAMEWORK_CMD $CONTROL_CMD $INPUT_FILES $INPUT_THRESHOLD $ACCOUNT_ID" + +echo running: $COMMAND eval $COMMAND From 9fc38015c9076ec8a55d4648925f81c0cfb60ee7 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 14:47:20 +0300 Subject: [PATCH 11/35] update junit --- .github/workflows/example.yaml | 45 +++++++++------------------------- 1 file changed, 12 insertions(+), 33 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 5861e8c..79e5877 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,37 +1,16 @@ -# name: Example -# on: [push, pull_request] - -# # jobs: -# # nsa-security-check: -# # runs-on: ubuntu-latest - -# # steps: -# # - name: Checkout -# # uses: actions/checkout@v2 - -# # - name: Install Kubescape -# # run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash - -# # - name: Scan YAML files -# # run: kubescape scan framework nsa *.yaml -# jobs: -# kubescape-scan: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@v3 -# - uses: avinashupadhya99/kubescape-action@main -# with: -# threshold: "50" -# # account: ${{ github.KUBESCAPE_ACCOUNT }} - - -name: kubescape-scan - -on: - push: +name: Example +on: [push, pull_request] jobs: - junit: + kubescape-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ${{ github.repository_owner }}/github-action@main + with: + threshold: "50" + # account: ${{ github.KUBESCAPE_ACCOUNT }} + publish-results: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -39,7 +18,7 @@ jobs: uses: mikepenz/action-junit-report@v3 if: always() with: - report_paths: "*.xml" + report_paths: "results.xml" require_tests: false fail_on_failure: false detailed_summary: true \ No newline at end of file From d77c2c6c33b1aaad12a6af646c8f6d4ad6f32539 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 14:54:01 +0300 Subject: [PATCH 12/35] update org name --- .github/workflows/example.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 79e5877..42b6810 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,12 +1,11 @@ name: Example on: [push, pull_request] - jobs: kubescape-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: ${{ github.repository_owner }}/github-action@main + - uses: dwertent/github-action@main with: threshold: "50" # account: ${{ github.KUBESCAPE_ACCOUNT }} From d4478cda487dd52fae65dc3ad51b9bfb23d1b856 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 14:55:13 +0300 Subject: [PATCH 13/35] adding "needs" --- .github/workflows/example.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 42b6810..96d1d3d 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -10,6 +10,7 @@ jobs: threshold: "50" # account: ${{ github.KUBESCAPE_ACCOUNT }} publish-results: + needs: kubescape-scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From 696d7fe3f1d8d4190061167c44ed7e834ef46fba Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 14:57:45 +0300 Subject: [PATCH 14/35] update working dir --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 4f6fef2..d28a804 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ FROM quay.io/armosec/kubescape +WORKDIR /home/armo COPY --chown=armo:armo entrypoint.sh entrypoint.sh ENTRYPOINT ["./entrypoint.sh"] From 69873fdc85ab35638ad993e5a043fbe36fe7ebfc Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 15:17:20 +0300 Subject: [PATCH 15/35] Run as root --- Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d28a804..817d010 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,9 @@ FROM quay.io/armosec/kubescape -WORKDIR /home/armo -COPY --chown=armo:armo entrypoint.sh entrypoint.sh +USER root +COPY entrypoint.sh entrypoint.sh + +ENV KS_SKIP_UPDATE_CHECK true +ENV KS_DOWNLOAD_ARTIFACTS false ENTRYPOINT ["./entrypoint.sh"] From 84c015a6bedf5d481ccfeea7009c7333cec64f9e Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 15:20:28 +0300 Subject: [PATCH 16/35] changed threshold --- .github/workflows/example.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 96d1d3d..fe79518 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -7,7 +7,7 @@ jobs: - uses: actions/checkout@v3 - uses: dwertent/github-action@main with: - threshold: "50" + threshold: "0" # account: ${{ github.KUBESCAPE_ACCOUNT }} publish-results: needs: kubescape-scan @@ -18,7 +18,7 @@ jobs: uses: mikepenz/action-junit-report@v3 if: always() with: - report_paths: "results.xml" + report_paths: "**.xml" require_tests: false fail_on_failure: false detailed_summary: true \ No newline at end of file From f551cdc8213e3dd73689fb06125c77ab0a3c1c02 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 15:24:53 +0300 Subject: [PATCH 17/35] change to a single step --- .github/workflows/example.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index fe79518..e4faa7d 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -9,11 +9,13 @@ jobs: with: threshold: "0" # account: ${{ github.KUBESCAPE_ACCOUNT }} - publish-results: - needs: kubescape-scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 + - name: Archive kubescape scan results + uses: actions/upload-artifact@v2 + if: always() + with: + name: kubescape-scan-report + path: results.xml + - name: Publish Unit Test Results uses: mikepenz/action-junit-report@v3 if: always() From 498f06c4741176ce0696816384c5ee41068673d2 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Sep 2022 15:28:47 +0300 Subject: [PATCH 18/35] update threshold --- .github/workflows/example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index e4faa7d..d1df078 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -7,7 +7,7 @@ jobs: - uses: actions/checkout@v3 - uses: dwertent/github-action@main with: - threshold: "0" + threshold: "50" # account: ${{ github.KUBESCAPE_ACCOUNT }} - name: Archive kubescape scan results uses: actions/upload-artifact@v2 From 5b9792109e56845fe711f4ff0b2fc89341f47124 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 19 Sep 2022 15:46:05 +0300 Subject: [PATCH 19/35] cosmetic changes --- .github/workflows/example.yaml | 41 +++-- CODE_OF_CONDUCT.md | 127 +++++++++++++++ CONTRIBUTING.md | 100 ++++++++++++ Dockerfile | 8 +- LICENSE | 202 ++++++++++++++++++++++++ README.md | 101 ++++++------ action.yml | 5 +- entrypoint.sh | 2 - examples/kubernetes-manifests/README.md | 8 - res.xml | 10 -- 10 files changed, 505 insertions(+), 99 deletions(-) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE delete mode 100644 examples/kubernetes-manifests/README.md delete mode 100644 res.xml diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index d1df078..7986936 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,26 +1,23 @@ -name: Example +name: Kubescape scanning for misconfigurations on: [push, pull_request] jobs: - kubescape-scan: + kubescape: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: dwertent/github-action@main - with: - threshold: "50" - # account: ${{ github.KUBESCAPE_ACCOUNT }} - - name: Archive kubescape scan results - uses: actions/upload-artifact@v2 - if: always() - with: - name: kubescape-scan-report - path: results.xml - - - name: Publish Unit Test Results - uses: mikepenz/action-junit-report@v3 - if: always() - with: - report_paths: "**.xml" - require_tests: false - fail_on_failure: false - detailed_summary: true \ No newline at end of file + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + with: + # Optional - Add Kubescape cloud account ID. + account: ${{secrets.ACCOUNT}} + # # Optional - Scan a specific path. Default will scan all + # files: "examples/*.yaml" + - name: Archive kubescape scan results + uses: actions/upload-artifact@v2 + with: + name: kubescape + path: results.xml + - name: Publish Unit Test Results + uses: mikepenz/action-junit-report@v3 + if: always() + with: + report_paths: "*.xml" \ No newline at end of file diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..2dfc05b --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,127 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement [here](mailto:ben@armosec.io). +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..a31c250 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,100 @@ +# Contributing + +First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts. + +When contributing, we categorize contributions into two: +* Small code changes or fixes, whose scope is limited to a single or two files +* Complex features and improvements, that are not limited + +If you have a small change, feel free to fire up a Pull Request. + +When planning a bigger change, please first discuss the change you wish to make via issue, +email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might be already going in this direction (or the exact opposite ;-) ) and we don't want to waste your time. + +Please note we have a code of conduct, please follow it in all your interactions with the project. + +## Pull Request Process + +1. Ensure any install or build dependencies are removed before the end of the layer when doing a + build. +2. Update the README.md with details of changes to the interface, this includes new environment + variables, exposed ports, useful file locations and container parameters. +3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch +4. We will merge the Pull Request once you have the sign-off. + +## Code of Conduct + +### Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to make participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +### Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or +advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +We will distance those who constantly adhere to unacceptable behavior. + +### Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective actions in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +### Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +### Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at [INSERT EMAIL ADDRESS]. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +### Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/Dockerfile b/Dockerfile index 6be1973..2972748 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ FROM quay.io/kubescape/kubescape:v2.0.171 -# We will need root privileges, so that kubescape can write the results to a file +# Kubescape uses root privileges for writing the results to a file USER root -COPY entrypoint.sh /entrypoint.sh -# KS_SKIP_UPDATE_CHECK is used to skip checking whether the run is on the latest version of kubescape +# KS_SKIP_UPDATE_CHECK - skip latest version check ENV KS_SKIP_UPDATE_CHECK true -# KS_DOWNLOAD_ARTIFACTS X is used so that kubescape will not look for whether the artifact exists locally in cache +# KS_DOWNLOAD_ARTIFACTS - Kubescape will load the policies from the local cache ENV KS_DOWNLOAD_ARTIFACTS false +COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index 3eef988..259b938 100644 --- a/README.md +++ b/README.md @@ -7,21 +7,29 @@ Run security scans on your Kubernetes manifests and Helm charts as a part of you Add the following step to your workflow configuration: ```yaml -steps: - - uses: actions/checkout@v3 - - uses: kubescape/github-action@main - with: - account: ${{secrets.ACCOUNT}} # kubescape cloud account, optional - - name: Archive kubescape scan results - uses: actions/upload-artifact@v2 - with: - name: kubescape-scan-report - path: results.xml - - name: Publish Unit Test Results - uses: mikepenz/action-junit-report@v3 - if: always() - with: - report_paths: "*.xml" +name: Kubescape scanning for misconfigurations +on: [push, pull_request] +jobs: + kubescape: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + with: + # Optional - Add Kubescape cloud account ID. + account: ${{secrets.ACCOUNT}} + # # Optional - Scan a specific path. Default will scan all + # files: "examples/*.yaml" + - name: Archive kubescape scan results + uses: actions/upload-artifact@v2 + with: + name: kubescape + path: results.xml + - name: Publish Unit Test Results + uses: mikepenz/action-junit-report@v3 + if: always() + with: + report_paths: "*.xml" ``` ## Inputs @@ -29,8 +37,8 @@ steps: | Name | Description | Required | | --- | --- | ---| | files | The YAML files/Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository. | No (default all repository) | -| framework | The security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - `nsa,devopsbest`. Run `kubescape list frameworks` with the [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) to get a list of all frameworks. Either frameworks have to be specified or controls. | No | -| control | The security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - `Configured liveness probe,Pods in default namespace`. Run `kubescape list controls` with the [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) to get a list of all controls. The complete control name can be specified or the ID such as `C-0001` can be specified. Either controls have to be specified or frameworks. | No | +| frameworks | The security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - `nsa,devopsbest`. Run `kubescape list frameworks` with the [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) to get a list of all frameworks. Either frameworks have to be specified or controls. | No | +| controls | The security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - `Configured liveness probe,Pods in default namespace`. Run `kubescape list controls` with the [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) to get a list of all controls. The complete control name can be specified or the ID such as `C-0001` can be specified. Either controls have to be specified or frameworks. | No | | account | Account-id for the [kubescape cloud](https://cloud.armosec.io/). Used for custom configuration, such as frameworks, control configuration, etc. | No | | failedThreshold | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) | No (default 0) | | thresholdCritical |Threshold Critical is the number or more of critical controls that failed and returns exit code 1 | No | @@ -41,12 +49,11 @@ steps: ## Examples -#### With Account-id +#### Scan and submit results to the [Kubescape cloud](https://cloud.armosec.io/) ```yaml -name: Scan repository using Kubescape with account, To use custom configuration from the kubescape cloud -on: push - +name: Kubescape scanning for misconfigurations +on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest @@ -67,12 +74,11 @@ jobs: report_paths: "*.xml" ``` -#### Specific Yamls path +#### Scan specific Kubernetes YAML paths ```yaml -name: Scan YAML files with Kubescape -on: push - +name: Kubescape scanning for misconfigurations +on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest @@ -80,7 +86,7 @@ jobs: - uses: actions/checkout@v3 - uses: kubescape/github-action@main with: - files: "kubernetes-prod/*.yaml" + files: "kubernetes-manifests/*.yaml" - name: Archive kubescape scan results uses: actions/upload-artifact@v2 with: @@ -93,12 +99,13 @@ jobs: report_paths: "*.xml" ``` -#### Specifying frameworks +#### Scan a list of specific frameworks -```yaml -name: Scan repository using Kubescape against specific frameworks -on: push +Scan repository using Kubescape against a list of specific frameworks +```yaml +name: Kubescape scanning for misconfigurations +on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest @@ -107,7 +114,7 @@ jobs: - uses: kubescape/github-action@main with: framework: | - nsa,devopsbest + nsa,mitre - name: Archive kubescape scan results uses: actions/upload-artifact@v2 with: @@ -120,12 +127,13 @@ jobs: report_paths: "*.xml" ``` -#### Using failed-threshold +#### Fail Kubescape scanning based on failed-threshold -```yaml -name: Scan repository with Kubescape and failed action If the percent of failed controls is more than failedThreshold -on: push +Scan repository with Kubescape and failed action if the percent of failed controls is more than failedThreshold +```yaml +name: Kubescape scanning for misconfigurations +on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest @@ -137,12 +145,7 @@ jobs: - name: Archive kubescape scan results uses: actions/upload-artifact@v2 with: - name: kubescape-scan-report - path: results.xml - - name: Archive kubescape scan results - uses: actions/upload-artifact@v2 - with: - name: kubescape-scan-report + name: kubescape path: results.xml - name: Publish Unit Test Results uses: mikepenz/action-junit-report@v3 @@ -150,12 +153,13 @@ jobs: with: report_paths: "*.xml" ``` -#### Using severity-threshold +#### Fail Kubescape scanning based on severity-threshold -```yaml -name: Scan repository with Kubescape and failed action If the number of failed controls with severity {X} is more than Threshold{X} -on: push +Scan repository with Kubescape and failed action if the number of failed resources with severity {X} is more than threshold {X} +```yaml +name: Kubescape scanning for misconfigurations +on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest @@ -169,7 +173,7 @@ jobs: - name: Archive kubescape scan results uses: actions/upload-artifact@v2 with: - name: kubescape-scan-report + name: kubescape path: results.xml - name: Publish Unit Test Results uses: mikepenz/action-junit-report@v3 @@ -177,7 +181,4 @@ jobs: with: report_paths: "*.xml" ``` - -## License - -[//]: TODO + \ No newline at end of file diff --git a/action.yml b/action.yml index ca042fe..d554a6b 100644 --- a/action.yml +++ b/action.yml @@ -1,7 +1,5 @@ name: Kubescape description: Run Kubescape scan -# author: - inputs: failedThreshold: description: | @@ -52,7 +50,8 @@ inputs: required: false format: description: | - format is the kubescape output format + Output format + Run `kubescape scan -h` for listing supported formats required: false default: junit runs: diff --git a/entrypoint.sh b/entrypoint.sh index 72fd232..9999489 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -32,6 +32,4 @@ THRESHOLD_LOW_CMD=$([ ! -z "$INPUT_THRESHOLDLOW" ] && echo --threshold-low $INPU COMMAND="kubescape scan $FRAMEWORKS_CMD $CONTROLS_CMD $FILES $ACCOUNT_CMD --fail-threshold $INPUT_FAILEDTHRESHOLD $THRESHOLD_CRITICAL_CMD $THRESHOLD_HIGH_CMD $THRESHOLD_MEDIUM_CMD $THRESHOLD_LOW_CMD --format $INPUT_FORMAT --output results.xml" -echo running: $COMMAND eval $COMMAND - diff --git a/examples/kubernetes-manifests/README.md b/examples/kubernetes-manifests/README.md deleted file mode 100644 index ed852b7..0000000 --- a/examples/kubernetes-manifests/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# ./kubernetes-manifests - -:warning: Kubernetes manifests provided in this directory are not directly -deployable to a cluster. They are meant to be used with `skaffold` command to -insert the correct `image:` tags. - -Use the manifests in [/release](/release) directory which are configured with -pre-built public images. diff --git a/res.xml b/res.xml deleted file mode 100644 index dc9dc08..0000000 --- a/res.xml +++ /dev/null @@ -1,10 +0,0 @@ - - - - - - - - - - \ No newline at end of file From c91b582d396f1904f84e8d1ee2bc7b5976e1dc19 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 19 Sep 2022 15:51:25 +0300 Subject: [PATCH 20/35] update example --- .github/workflows/example.yaml | 6 +++--- README.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 7986936..d92f85a 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -6,9 +6,9 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main - with: - # Optional - Add Kubescape cloud account ID. - account: ${{secrets.ACCOUNT}} + # with: + # # Optional - Add Kubescape cloud account ID. + # account: ${{secrets.KUBESCAPE_ACCOUNT}} # # Optional - Scan a specific path. Default will scan all # files: "examples/*.yaml" - name: Archive kubescape scan results diff --git a/README.md b/README.md index 259b938..f953a75 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,9 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main - with: - # Optional - Add Kubescape cloud account ID. - account: ${{secrets.ACCOUNT}} + # with: + # # Optional - Add Kubescape cloud account ID. + # account: ${{secrets.KUBESCAPE_ACCOUNT}} # # Optional - Scan a specific path. Default will scan all # files: "examples/*.yaml" - name: Archive kubescape scan results From 75f3345c1615c03effd5370efff979bc23bfddec Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 19 Sep 2022 15:55:57 +0300 Subject: [PATCH 21/35] remove default failedThreshold --- action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/action.yml b/action.yml index d554a6b..afd2d80 100644 --- a/action.yml +++ b/action.yml @@ -5,7 +5,6 @@ inputs: description: | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) - default: "0" required: false files: description: | From fcc6d4877c1e753dce5ec37cd037f48f32a1c351 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 19 Sep 2022 16:01:00 +0300 Subject: [PATCH 22/35] update INPUT_FAILEDTHRESHOLD --- entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 9999489..1eca155 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -25,11 +25,12 @@ FRAMEWORKS_CMD=$([ ! -z "$INPUT_FRAMEWORKS" ] && echo "framework $INPUT_FRAMEWOR CONTROLS_CMD=$([ ! -z "$INPUT_CONTROLS" ] && echo control $CONTROLS || echo "") FILES=$([ ! -z "$INPUT_FILES" ] && echo "$INPUT_FILES" || echo .) ACCOUNT_CMD=$([ ! -z "$INPUT_ACCOUNT" ] && echo --account $INPUT_ACCOUNT --submit || echo "") +INPUT_FAILEDTHRESHOLD=$([ ! -z "$INPUT_FAILEDTHRESHOLD" ] && echo --fail-threshold $INPUT_FAILEDTHRESHOLD || echo "") THRESHOLD_CRITICAL_CMD=$([ ! -z "$INPUT_THRESHOLDCRITICAL" ] && echo --threshold-critical $INPUT_THRESHOLDCRITICAL || echo "") THRESHOLD_HIGH_CMD=$([ ! -z "$INPUT_THRESHOLDHIGH" ] && echo --threshold-high $INPUT_THRESHOLDHIGH || echo "") THRESHOLD_MEDIUM_CMD=$([ ! -z "$INPUT_THRESHOLDMEDIUM" ] && echo --threshold-medium $INPUT_THRESHOLDMEDIUM || echo "") THRESHOLD_LOW_CMD=$([ ! -z "$INPUT_THRESHOLDLOW" ] && echo --threshold-low $INPUT_THRESHOLDLOW || echo "") -COMMAND="kubescape scan $FRAMEWORKS_CMD $CONTROLS_CMD $FILES $ACCOUNT_CMD --fail-threshold $INPUT_FAILEDTHRESHOLD $THRESHOLD_CRITICAL_CMD $THRESHOLD_HIGH_CMD $THRESHOLD_MEDIUM_CMD $THRESHOLD_LOW_CMD --format $INPUT_FORMAT --output results.xml" +COMMAND="kubescape scan $FRAMEWORKS_CMD $CONTROLS_CMD $FILES $ACCOUNT_CMD $INPUT_FAILEDTHRESHOLD $THRESHOLD_CRITICAL_CMD $THRESHOLD_HIGH_CMD $THRESHOLD_MEDIUM_CMD $THRESHOLD_LOW_CMD --format $INPUT_FORMAT --output results" eval $COMMAND From 63418e1ae772de1baf008f62401f02c6ba973e4f Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 19 Sep 2022 17:25:06 +0300 Subject: [PATCH 23/35] adding default failedThreshold to the workflow --- .github/workflows/example.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index d92f85a..bc3b0d9 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -6,7 +6,8 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main - # with: + with: + failedThreshold: 100 # # Optional - Add Kubescape cloud account ID. # account: ${{secrets.KUBESCAPE_ACCOUNT}} # # Optional - Scan a specific path. Default will scan all From 999fd6aead9beba936beaf27dfcde4136dd7b3a7 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 22 Sep 2022 12:36:18 +0300 Subject: [PATCH 24/35] remove failedThreshold from actions --- .github/workflows/example.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index bc3b0d9..1eb93f3 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -6,12 +6,12 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main - with: - failedThreshold: 100 - # # Optional - Add Kubescape cloud account ID. - # account: ${{secrets.KUBESCAPE_ACCOUNT}} - # # Optional - Scan a specific path. Default will scan all - # files: "examples/*.yaml" + # with: + # failedThreshold: 100 + # # Op`tional - Add Kubescape cloud account ID. + # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # Optional - Scan a specific path. Default will scan all + # files: "examples/*.yaml" - name: Archive kubescape scan results uses: actions/upload-artifact@v2 with: From 27e75d50352fdf3b88886917ce76908626c41694 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Wed, 28 Sep 2022 09:28:39 +0300 Subject: [PATCH 25/35] printing path --- entrypoint.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 5f25a49..dd0f7e0 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -32,6 +32,10 @@ THRESHOLD_HIGH_CMD=$([ ! -z "$INPUT_THRESHOLDHIGH" ] && echo --threshold-high $I THRESHOLD_MEDIUM_CMD=$([ ! -z "$INPUT_THRESHOLDMEDIUM" ] && echo --threshold-medium $INPUT_THRESHOLDMEDIUM || echo "") THRESHOLD_LOW_CMD=$([ ! -z "$INPUT_THRESHOLDLOW" ] && echo --threshold-low $INPUT_THRESHOLDLOW || echo "") +ls -la $ARTIFACTS_PATH +ls -la $pwd +ls -la + COMMAND="kubescape scan $FRAMEWORKS_CMD $CONTROLS_CMD $FILES $ACCOUNT_CMD $INPUT_FAILEDTHRESHOLD $THRESHOLD_CRITICAL_CMD $THRESHOLD_HIGH_CMD $THRESHOLD_MEDIUM_CMD $THRESHOLD_LOW_CMD --format $INPUT_FORMAT --output results --use-artifacts-from $ARTIFACTS_PATH" eval $COMMAND From 621a4e2cd8648306f72e5c3292d9db7d2d19fec7 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Oct 2022 14:15:39 +0300 Subject: [PATCH 26/35] Gh workflows (#1) * adding release * trigger --- .github/workflows/example.yaml | 5 ++- .github/workflows/release.yaml | 70 ++++++++++++++++++++++++++++++++++ action.yml | 4 +- entrypoint.sh | 1 + 4 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index 7d4ab5e..de214d7 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,11 +1,14 @@ name: Kubescape scanning for misconfigurations -on: [push, pull_request] +on: + release: + types: [published] jobs: kubescape: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main + continue-on-error: true # with: # failedThreshold: 100 # # Optional - Add Kubescape cloud account ID. diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..5a7ffd7 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,70 @@ +name: build + +on: + push: + branches: [ main ] + paths-ignore: + - '**.md' + - '**/example.yaml' + - '*/examples/*' +jobs: + + build-image: + name: Build docker container, tag and upload to registry + needs: build + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: read + steps: + + - uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Set image version + id: image-version + run: echo '::set-output name=IMAGE_VERSION::v1.0.${{ github.run_number }}' + + - name: Set image name + id: image-name + run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/github-actions' + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to Quay.io + env: + QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }} + QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }} + run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io + + - name: Build the Docker image + run: docker buildx build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:latest + + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.12.0' + - name: sign kubescape container image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest + cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} + + - name: Create a release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + release_name: Release v1.0.${{ github.run_number }} + tag_name: v1.0.${{ github.run_number }} + draft: false + prerelease: false + \ No newline at end of file diff --git a/action.yml b/action.yml index afd2d80..140dfb6 100644 --- a/action.yml +++ b/action.yml @@ -55,4 +55,6 @@ inputs: default: junit runs: using: docker - image: Dockerfile + image: quay.io/dwertent/github-actions + # image: quay.io/kubescape/github-actions:latest + diff --git a/entrypoint.sh b/entrypoint.sh index dd0f7e0..b26db8f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -39,3 +39,4 @@ ls -la COMMAND="kubescape scan $FRAMEWORKS_CMD $CONTROLS_CMD $FILES $ACCOUNT_CMD $INPUT_FAILEDTHRESHOLD $THRESHOLD_CRITICAL_CMD $THRESHOLD_HIGH_CMD $THRESHOLD_MEDIUM_CMD $THRESHOLD_LOW_CMD --format $INPUT_FORMAT --output results --use-artifacts-from $ARTIFACTS_PATH" eval $COMMAND + From b890b55837d27c306f82784e5c388832301e7351 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Oct 2022 14:20:10 +0300 Subject: [PATCH 27/35] remove deps --- .github/workflows/release.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5a7ffd7..2ee0375 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,7 +11,6 @@ jobs: build-image: name: Build docker container, tag and upload to registry - needs: build runs-on: ubuntu-latest permissions: id-token: write @@ -56,7 +55,11 @@ jobs: run: | cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} - + release: + name: Create release + needs: build-image + runs-on: ubuntu-latest + steps: - name: Create a release id: create_release uses: actions/create-release@v1 From eed97e210587a80b99193364ff81073d7e18c2f6 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Oct 2022 14:21:58 +0300 Subject: [PATCH 28/35] adding push to command --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2ee0375..db95541 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -43,7 +43,7 @@ jobs: run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io - name: Build the Docker image - run: docker buildx build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:latest + run: docker buildx build . --file Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:latest --push - name: Install cosign uses: sigstore/cosign-installer@main From 9cfa7e99c6433e6c302c6852cd3d41fcd7535a93 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Oct 2022 15:33:04 +0300 Subject: [PATCH 29/35] update ks base image --- Dockerfile | 2 +- entrypoint.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3b9d28b..a5ec346 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/kubescape/kubescape:v2.0.171 +FROM quay.io/kubescape/kubescape:dev-v2.0.383 # Kubescape uses root privileges for writing the results to a file USER root diff --git a/entrypoint.sh b/entrypoint.sh index b26db8f..809910a 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -21,7 +21,7 @@ if [ ! -z "$INPUT_CONTROLS" ]; then CONTROLS=$(echo "${CONTROLS%?}") fi -ARTIFACTS_PATH="/home/armo/.kubescape" +ARTIFACTS_PATH="/home/ks/.kubescape" FRAMEWORKS_CMD=$([ ! -z "$INPUT_FRAMEWORKS" ] && echo "framework $INPUT_FRAMEWORKS" || echo "") CONTROLS_CMD=$([ ! -z "$INPUT_CONTROLS" ] && echo control $CONTROLS || echo "") FILES=$([ ! -z "$INPUT_FILES" ] && echo "$INPUT_FILES" || echo .) From ec13eb0fca8749490059fff069a276d87b6ae20c Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Oct 2022 15:51:14 +0300 Subject: [PATCH 30/35] update org --- .github/workflows/example.yaml | 2 +- README.md | 4 ++++ action.yml | 3 +-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml index de214d7..1925276 100644 --- a/.github/workflows/example.yaml +++ b/.github/workflows/example.yaml @@ -1,7 +1,7 @@ name: Kubescape scanning for misconfigurations on: release: - types: [published] + types: [released] jobs: kubescape: runs-on: ubuntu-latest diff --git a/README.md b/README.md index b83524f..dddd828 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main + continue-on-error: true with: files: "kubernetes-manifests/*.yaml" - name: Archive kubescape scan results @@ -115,6 +116,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main + continue-on-error: true with: framework: | nsa,mitre @@ -143,6 +145,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main + continue-on-error: true with: failedThreshold: 50 - name: Archive kubescape scan results @@ -169,6 +172,7 @@ jobs: steps: - uses: action/checkout@v3 - uses: kubescape/github-action@main + continue-on-error: true with: thresholdCritical: 1 thresholdHigh: 5 diff --git a/action.yml b/action.yml index 140dfb6..453ada1 100644 --- a/action.yml +++ b/action.yml @@ -55,6 +55,5 @@ inputs: default: junit runs: using: docker - image: quay.io/dwertent/github-actions - # image: quay.io/kubescape/github-actions:latest + image: quay.io/kubescape/github-actions From f7500889c2b61ad102dbef13d727a48f51a0b9cd Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Mon, 3 Oct 2022 16:02:02 +0300 Subject: [PATCH 31/35] feat: support the severity threshold input (#11) This commit adds support for specifying the severity threshold as an input for the Github Action. Co-authored-by: David Wertenteil --- README.md | 11 +++-------- action.yml | 29 ++++++++--------------------- entrypoint.sh | 21 ++++++++++++--------- 3 files changed, 23 insertions(+), 38 deletions(-) mode change 100755 => 100644 entrypoint.sh diff --git a/README.md b/README.md index b83524f..f3b2b1a 100644 --- a/README.md +++ b/README.md @@ -44,10 +44,7 @@ jobs: | controls | The security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - `Configured liveness probe,Pods in default namespace`. Run `kubescape list controls` with the [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) to get a list of all controls. The complete control name can be specified or the ID such as `C-0001` can be specified. Either controls have to be specified or frameworks. | No | | account | Account-id for the [kubescape cloud](https://cloud.armosec.io/). Used for custom configuration, such as frameworks, control configuration, etc. | No | | failedThreshold | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) | No (default 0) | -| thresholdCritical |Threshold Critical is the number or more of critical controls that failed and returns exit code 1 | No | -| thresholdHigh |Threshold High is the number or more of high controls that failed and returns exit code 1 | No | -| thresholdMedium |Threshold Medium is the number or more of medium controls that failed and returns exit code 1 | No | -| thresholdLow |Threshold Low is the number or more of low controls that failed and returns exit code 1 | No | +| severityThreshold | Severity threshold is the severity of a failed control at or above which the command terminates with an exit code 1 (default is `high`, i.e. the action fails if any High severity control fails) | No | ## Examples @@ -158,7 +155,7 @@ jobs: ``` #### Fail Kubescape scanning based on severity-threshold -Scan repository with Kubescape and failed action if the number of failed resources with severity {X} is more than threshold {X} +Scan repository with Kubescape and fail the action if the scan found failed controls with severity of Medium and above. ```yaml name: Kubescape scanning for misconfigurations @@ -170,9 +167,7 @@ jobs: - uses: action/checkout@v3 - uses: kubescape/github-action@main with: - thresholdCritical: 1 - thresholdHigh: 5 - thresholdMedium: 10 + severityThreshold: medium - name: Archive kubescape scan results uses: actions/upload-artifact@v2 with: diff --git a/action.yml b/action.yml index afd2d80..96377d6 100644 --- a/action.yml +++ b/action.yml @@ -6,6 +6,13 @@ inputs: Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) required: false + severityThreshold: + description: | + Severity threshold is the severity of a failed control at or above which + the command terminates with an exit code 1 (default is "high", i.e. the + action fails if any High severity control fails) + required: false + default: high files: description: | Path to the configuration yaml to scan @@ -24,29 +31,9 @@ inputs: required: false account: description: | - Account-id for the SAS. + Account ID for the Kubescape SaaS. Used for custom configuration, such as frameworks, control configuration, etc. required: false - thresholdCritical: - description: | - Threshold Critical is the number or more of critical controls that failed - and returns exit code 1 - required: false - thresholdHigh: - description: | - Threshold High is the number or more of high controls that failed - and returns exit code 1 - required: false - thresholdMedium: - description: | - Threshold Medium is the number or more of medium controls that failed - and returns exit code 1 - required: false - thresholdLow: - description: | - Threshold Low is the number or more of low controls that failed - and returns exit code 1 - required: false format: description: | Output format diff --git a/entrypoint.sh b/entrypoint.sh old mode 100755 new mode 100644 index 5f25a49..2a75eb3 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -21,17 +21,20 @@ if [ ! -z "$INPUT_CONTROLS" ]; then CONTROLS=$(echo "${CONTROLS%?}") fi -ARTIFACTS_PATH="/home/armo/.kubescape" +# Subcommands +ARTIFACTS_PATH="/home/ks/.kubescape" FRAMEWORKS_CMD=$([ ! -z "$INPUT_FRAMEWORKS" ] && echo "framework $INPUT_FRAMEWORKS" || echo "") CONTROLS_CMD=$([ ! -z "$INPUT_CONTROLS" ] && echo control $CONTROLS || echo "") + +# Output files FILES=$([ ! -z "$INPUT_FILES" ] && echo "$INPUT_FILES" || echo .) -ACCOUNT_CMD=$([ ! -z "$INPUT_ACCOUNT" ] && echo --account $INPUT_ACCOUNT --submit || echo "") -INPUT_FAILEDTHRESHOLD=$([ ! -z "$INPUT_FAILEDTHRESHOLD" ] && echo --fail-threshold $INPUT_FAILEDTHRESHOLD || echo "") -THRESHOLD_CRITICAL_CMD=$([ ! -z "$INPUT_THRESHOLDCRITICAL" ] && echo --threshold-critical $INPUT_THRESHOLDCRITICAL || echo "") -THRESHOLD_HIGH_CMD=$([ ! -z "$INPUT_THRESHOLDHIGH" ] && echo --threshold-high $INPUT_THRESHOLDHIGH || echo "") -THRESHOLD_MEDIUM_CMD=$([ ! -z "$INPUT_THRESHOLDMEDIUM" ] && echo --threshold-medium $INPUT_THRESHOLDMEDIUM || echo "") -THRESHOLD_LOW_CMD=$([ ! -z "$INPUT_THRESHOLDLOW" ] && echo --threshold-low $INPUT_THRESHOLDLOW || echo "") - -COMMAND="kubescape scan $FRAMEWORKS_CMD $CONTROLS_CMD $FILES $ACCOUNT_CMD $INPUT_FAILEDTHRESHOLD $THRESHOLD_CRITICAL_CMD $THRESHOLD_HIGH_CMD $THRESHOLD_MEDIUM_CMD $THRESHOLD_LOW_CMD --format $INPUT_FORMAT --output results --use-artifacts-from $ARTIFACTS_PATH" + +# Command-line options +ACCOUNT_OPT=$([ ! -z "$INPUT_ACCOUNT" ] && echo --account $INPUT_ACCOUNT --submit || echo "") + +FAIL_THRESHOLD_OPT=$([ ! -z "$INPUT_FAILEDTHRESHOLD" ] && echo --fail-threshold $INPUT_FAILEDTHRESHOLD || echo "") +SEVERITY_THRESHOLD_OPT=$([ ! -z "$INPUT_SEVERITYTHRESHOLD" ] && echo --severity-threshold $INPUT_SEVERITYTHRESHOLD || echo "") + +COMMAND="kubescape scan $FRAMEWORKS_CMD $CONTROLS_CMD $FILES $ACCOUNT_OPT $FAIL_THRESHOLD_OPT $SEVERITY_THRESHOLD_OPT --format $INPUT_FORMAT --output results --use-artifacts-from $ARTIFACTS_PATH" eval $COMMAND From 16de1831064d2c0b829302e50352a46196f4550f Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Oct 2022 16:15:14 +0300 Subject: [PATCH 32/35] rename file --- .github/workflows/{release.yaml => build.yaml} | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) rename .github/workflows/{release.yaml => build.yaml} (80%) diff --git a/.github/workflows/release.yaml b/.github/workflows/build.yaml similarity index 80% rename from .github/workflows/release.yaml rename to .github/workflows/build.yaml index db95541..4ac9375 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/build.yaml @@ -55,19 +55,5 @@ jobs: run: | cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} - release: - name: Create release - needs: build-image - runs-on: ubuntu-latest - steps: - - name: Create a release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_name: Release v1.0.${{ github.run_number }} - tag_name: v1.0.${{ github.run_number }} - draft: false - prerelease: false + \ No newline at end of file From bdb316f9eb12f2a2c7cb8a5852ac9298f9675f8d Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Oct 2022 16:45:42 +0300 Subject: [PATCH 33/35] Update action url --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index a154388..ad8b0ae 100644 --- a/action.yml +++ b/action.yml @@ -42,5 +42,5 @@ inputs: default: junit runs: using: docker - image: quay.io/kubescape/github-actions + image: docker://quay.io/kubescape/github-actions From e0368d149fd30b27a540800248e7b5c1e2be828d Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 27 Oct 2022 09:57:12 +0300 Subject: [PATCH 34/35] made small change --- examples/kubernetes-manifests/adservice.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/kubernetes-manifests/adservice.yaml b/examples/kubernetes-manifests/adservice.yaml index 32ab46d..d322a94 100644 --- a/examples/kubernetes-manifests/adservice.yaml +++ b/examples/kubernetes-manifests/adservice.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apps/v1 kind: Deployment metadata: From db2fa712e30a524e2c7e028292eb0cc8852ed044 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 27 Oct 2022 10:01:53 +0300 Subject: [PATCH 35/35] chmod --- entrypoint.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh old mode 100644 new mode 100755