From b2454fb091659d90a4dadfe5c5aabd7ce55de064 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emre=20=C5=9Eafak?= <3928300+esafak@users.noreply.github.com> Date: Thu, 18 Dec 2025 21:41:19 +0000 Subject: [PATCH] feat: Implement dynamic Kubescape versioning in GitHub Action MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refactor the GitHub Action to build the Docker image at runtime using a user-specified version of `kubescape-cli`. * Introduce a build argument `KUBESCAPE_VERSION` in the `Dockerfile` to dynamically set the base image version. * Convert the action to a composite action in `action.yml`. * Add a mandatory `version` input to `action.yml` to allow users to specify any `kubescape-cli` version or 'latest'. * Implement version resolution logic in `action.yml` to fetch the latest tag if `version` is set to 'latest', using the `github.token` for authentication. * Update the build step in `action.yml` to pass the resolved version as the `--build-arg KUBESCAPE_VERSION` to `docker build`. * Update the run step in `action.yml` to use the resolved version tag for the `docker run` command. * Rewrite `update.sh` to fetch the latest release tag and update the `KUBESCAPE_VERSION` argument in the `Dockerfile` using `sed`. Signed-off-by: Emre Şafak <3928300+esafak@users.noreply.github.com> --- Dockerfile | 3 ++- action.yml | 51 +++++++++++++++++++++++++++++++++++++++++++++++---- update.sh | 31 +++++++++++++++++++++---------- 3 files changed, 70 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index f7e3ac1..0f0abf9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ -FROM quay.io/kubescape/kubescape-cli:v3.0.21 +ARG KUBESCAPE_VERSION=v3.0.21 +FROM quay.io/kubescape/kubescape-cli:${KUBESCAPE_VERSION} # Kubescape uses root privileges for writing the results to a file USER root diff --git a/action.yml b/action.yml index 0b45e65..3ccefa2 100644 --- a/action.yml +++ b/action.yml @@ -94,6 +94,12 @@ inputs: use these fixes to open Pull Requests from your CI/CD pipeline. required: false default: "false" + version: + description: | + The version of Kubescape to use. + + Can be a specific version (e.g. "v3.0.21") or "latest". + required: true image: description: | An image to scan. @@ -111,7 +117,44 @@ inputs: A password for a private registry that contains the image to be scanned. required: false runs: - using: docker - image: Dockerfile - # image: docker://quay.io/kubescape/github-actions - + using: 'composite' + steps: + - id: resolve_version + shell: bash + run: | + VERSION="${{ inputs.version }}" + if [ "$VERSION" = "latest" ]; then + VERSION=$(curl -s -H "Authorization: Bearer ${{ github.token }}" https://api.github.com/repos/kubescape/kubescape/releases/latest | jq -r .tag_name) + fi + echo "version=$VERSION" >> $GITHUB_OUTPUT + - name: Build Kubescape container + shell: bash + run: | + docker build -t kubescape-action:${{ steps.resolve_version.outputs.version }} \ + --build-arg KUBESCAPE_VERSION=${{ steps.resolve_version.outputs.version }} \ + ${{ github.action_path }} + - name: Run Kubescape scan + shell: bash + run: | + docker run --rm \ + -v ${{ github.workspace }}:/scan \ + -w /scan \ + -e INPUT_FAILEDTHRESHOLD="${{ inputs.failedThreshold }}" \ + -e INPUT_COMPLIANCETHRESHOLD="${{ inputs.complianceThreshold }}" \ + -e INPUT_SEVERITYTHRESHOLD="${{ inputs.severityThreshold }}" \ + -e INPUT_FILES="${{ inputs.files }}" \ + -e INPUT_OUTPUTFILE="${{ inputs.outputFile }}" \ + -e INPUT_VERBOSE="${{ inputs.verbose }}" \ + -e INPUT_FRAMEWORKS="${{ inputs.frameworks }}" \ + -e INPUT_CONTROLS="${{ inputs.controls }}" \ + -e INPUT_CONTROLSCONFIG="${{ inputs.controlsConfig }}" \ + -e INPUT_ACCOUNT="${{ inputs.account }}" \ + -e INPUT_ACCESSKEY="${{ inputs.accessKey }}" \ + -e INPUT_SERVER="${{ inputs.server }}" \ + -e INPUT_EXCEPTIONS="${{ inputs.exceptions }}" \ + -e INPUT_FORMAT="${{ inputs.format }}" \ + -e INPUT_FIXFILES="${{ inputs.fixFiles }}" \ + -e INPUT_IMAGE="${{ inputs.image }}" \ + -e INPUT_REGISTRYUSERNAME="${{ inputs.registryUsername }}" \ + -e INPUT_REGISTRYPASSWORD="${{ inputs.registryPassword }}" \ + kubescape-action:${{ steps.resolve_version.outputs.version }} diff --git a/update.sh b/update.sh index fe4f715..eb4dd6d 100755 --- a/update.sh +++ b/update.sh @@ -1,12 +1,23 @@ -git clone https://github.com/kubescape/kubescape.git --no-checkout -cd kubescape -export LATEST=$(git for-each-ref --format="%(refname:short)" --sort=-authordate --count=1 refs/tags) -cd .. -rm -rf kubescape -export CURRENT=$(cat Dockerfile | head -n1 | cut -d':' -f2) -if [ "$LATEST" != "$CURRENT" ]; then - echo "New version available: $LATEST" - sed -i "1 s/:${CURRENT}/:${LATEST}/" Dockerfile +#!/bin/sh + +set -e + +echo "Fetching the latest version of Kubescape..." +# Use GITHUB_TOKEN if available for authenticated requests +if [ -n "$GITHUB_TOKEN" ]; then + latest_version=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "https://api.github.com/repos/kubescape/kubescape/releases/latest" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4) else - echo "No new version available" + latest_version=$(curl -s "https://api.github.com/repos/kubescape/kubescape/releases/latest" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4) fi + +if [ -z "${latest_version}" ]; then + echo "Failed to fetch the latest version." + exit 1 +fi + +echo "Latest version is: ${latest_version}" + +echo "Updating Dockerfile..." +sed -i "s/^\(ARG KUBESCAPE_VERSION=\).*/\1${latest_version}/" Dockerfile + +echo "Dockerfile has been updated."