Skip to content

[#3362500] Add support for tag filtering in the scanner (#218) #194

[#3362500] Add support for tag filtering in the scanner (#218)

[#3362500] Add support for tag filtering in the scanner (#218) #194

Workflow file for this run

name: Kubernetes Infra CI
on:
push:
branches: [ "main" ]
paths:
- .github/workflows/k8-infra-ci.yaml
- deployment/kubernetes/**
- '!**.md'
- '!**.png'
- '!**.gif'
- .gitignore
pull_request:
branches: [ "main" ]
paths:
- .github/workflows/k8-infra-ci.yaml
- deployment/kubernetes/**
- '!**.md'
- '!**.png'
- '!**.gif'
- .gitignore
workflow_dispatch:
env:
KUBERNETES_INFRA_DIR: deployment/kubernetes
KUBE_AUDIT_VERSION: 0.22.0
DATREE_VERSION: 1.9.19
permissions: read-all
jobs:
helm-chart-validation:
name: Helm Chart Validation and IaC scan
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v3
with:
version: v3.10.0
- name: Download Secret Scan Rule Config File
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
curl https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml > gitleaks.toml
- name: Helm Dependency Update
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm dependency update
- name: Helm Lint
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm lint . --set-file global.secretScanRulePackConfig=./gitleaks.toml
- name: Helm Template
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm template resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./gitleaks.toml
- name: Run IaC scan using Kics
uses: checkmarx/kics-github-action@v1.6.3
with:
path: '${{ env.KUBERNETES_INFRA_DIR }}'
exclude_paths: '${{ env.KUBERNETES_INFRA_DIR }}/example-values.yaml,${{ env.KUBERNETES_INFRA_DIR }}/resc_helm_template.yaml'
fail_on: high,medium
- name: Run IaC scan using Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: '${{ env.KUBERNETES_INFRA_DIR }}'
quiet: true
soft_fail: true
output_format: json
- name: Export RESC Helm Template
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
helm template resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./gitleaks.toml > resc_helm_template.yaml
- name: Install Kubeaudit
run: |
curl -LO https://github.com/Shopify/kubeaudit/releases/download/v${{env.KUBE_AUDIT_VERSION}}/kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz
tar -xzvf kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz
mv kubeaudit /usr/local/bin/
- name: Run Kubeaudit Scan
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
kubeaudit all -f resc_helm_template.yaml
- name: Install Datree
run: |
curl -L -o datree.zip https://github.com/datreeio/datree/releases/download/${{env.DATREE_VERSION}}/datree-cli_${{env.DATREE_VERSION}}_Linux_x86_64.zip
unzip datree.zip -d datree
mv datree/datree /usr/local/bin/
- name: Run Datree Scan
id: datree_scan
run: |
cd ${{ env.KUBERNETES_INFRA_DIR }}
datree config set offline local
datree test resc_helm_template.yaml --only-k8s-files --no-record --verbose --policy-config datree-policies.yaml
release-charts:
name: Release Charts
permissions:
contents: write
runs-on: ubuntu-latest
needs: helm-chart-validation
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.5.0
with:
charts_dir: deployment
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SKIP_EXISTING: true