[#3362500] Add support for tag filtering in the scanner (#218) #194
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Kubernetes Infra CI | |
on: | |
push: | |
branches: [ "main" ] | |
paths: | |
- .github/workflows/k8-infra-ci.yaml | |
- deployment/kubernetes/** | |
- '!**.md' | |
- '!**.png' | |
- '!**.gif' | |
- .gitignore | |
pull_request: | |
branches: [ "main" ] | |
paths: | |
- .github/workflows/k8-infra-ci.yaml | |
- deployment/kubernetes/** | |
- '!**.md' | |
- '!**.png' | |
- '!**.gif' | |
- .gitignore | |
workflow_dispatch: | |
env: | |
KUBERNETES_INFRA_DIR: deployment/kubernetes | |
KUBE_AUDIT_VERSION: 0.22.0 | |
DATREE_VERSION: 1.9.19 | |
permissions: read-all | |
jobs: | |
helm-chart-validation: | |
name: Helm Chart Validation and IaC scan | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Set up Helm | |
uses: azure/setup-helm@v3 | |
with: | |
version: v3.10.0 | |
- name: Download Secret Scan Rule Config File | |
run: | | |
cd ${{ env.KUBERNETES_INFRA_DIR }} | |
curl https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml > gitleaks.toml | |
- name: Helm Dependency Update | |
run: | | |
cd ${{ env.KUBERNETES_INFRA_DIR }} | |
helm dependency update | |
- name: Helm Lint | |
run: | | |
cd ${{ env.KUBERNETES_INFRA_DIR }} | |
helm lint . --set-file global.secretScanRulePackConfig=./gitleaks.toml | |
- name: Helm Template | |
run: | | |
cd ${{ env.KUBERNETES_INFRA_DIR }} | |
helm template resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./gitleaks.toml | |
- name: Run IaC scan using Kics | |
uses: checkmarx/kics-github-action@v1.6.3 | |
with: | |
path: '${{ env.KUBERNETES_INFRA_DIR }}' | |
exclude_paths: '${{ env.KUBERNETES_INFRA_DIR }}/example-values.yaml,${{ env.KUBERNETES_INFRA_DIR }}/resc_helm_template.yaml' | |
fail_on: high,medium | |
- name: Run IaC scan using Checkov | |
id: checkov | |
uses: bridgecrewio/checkov-action@master | |
with: | |
directory: '${{ env.KUBERNETES_INFRA_DIR }}' | |
quiet: true | |
soft_fail: true | |
output_format: json | |
- name: Export RESC Helm Template | |
run: | | |
cd ${{ env.KUBERNETES_INFRA_DIR }} | |
helm template resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./gitleaks.toml > resc_helm_template.yaml | |
- name: Install Kubeaudit | |
run: | | |
curl -LO https://github.com/Shopify/kubeaudit/releases/download/v${{env.KUBE_AUDIT_VERSION}}/kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz | |
tar -xzvf kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz | |
mv kubeaudit /usr/local/bin/ | |
- name: Run Kubeaudit Scan | |
run: | | |
cd ${{ env.KUBERNETES_INFRA_DIR }} | |
kubeaudit all -f resc_helm_template.yaml | |
- name: Install Datree | |
run: | | |
curl -L -o datree.zip https://github.com/datreeio/datree/releases/download/${{env.DATREE_VERSION}}/datree-cli_${{env.DATREE_VERSION}}_Linux_x86_64.zip | |
unzip datree.zip -d datree | |
mv datree/datree /usr/local/bin/ | |
- name: Run Datree Scan | |
id: datree_scan | |
run: | | |
cd ${{ env.KUBERNETES_INFRA_DIR }} | |
datree config set offline local | |
datree test resc_helm_template.yaml --only-k8s-files --no-record --verbose --policy-config datree-policies.yaml | |
release-charts: | |
name: Release Charts | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
needs: helm-chart-validation | |
if: github.ref == 'refs/heads/main' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
- name: Run chart-releaser | |
uses: helm/chart-releaser-action@v1.5.0 | |
with: | |
charts_dir: deployment | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
CR_SKIP_EXISTING: true |