Skip to content

Security Scans

Security Scans #48

name: "Security Scans"
on:
schedule:
- cron: '0 3 * * 1' # run tests at 1 AM (UTC), every monday (1)
workflow_dispatch:
inputs:
branch:
description: 'Take CI build artifacts from branch (e.g., master, release-x.y.z)'
required: true
default: 'main'
defaults:
run:
shell: bash
env:
GO_VERSION: "~1.20"
jobs:
prepare-security-scans:
name: "Prepare Security Scans"
runs-on: ubuntu-22.04
steps:
- name: Determine Target Branch
id: determine_branch
run: |
if [[ "${{ github.event.inputs.branch }}" != "" ]]; then
# branch was manually set by user -> probably a workflow_dispatch action
BRANCH=${{ github.event.inputs.branch }}
echo "Using $BRANCH as target branch"
else
BRANCH='main'
fi
echo "BRANCH=$(echo ${BRANCH})" >> $GITHUB_OUTPUT
- name: Find latest successful run ID
id: last_run_id
env:
BRANCH: ${{ steps.determine_branch.outputs.BRANCH }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
RUN_ID=$(\
curl -sL \
-H 'Accept: application/vnd.github.v3+json' \
-H "Authorization: token $GITHUB_TOKEN" \
"api.github.com/repos/${{ github.repository }}/actions/workflows/CI.yaml/runs?branch=$BRANCH" | \
jq '[.workflow_runs[] | select(
(.head_commit != null) and ( .conclusion == "success" )
)][0] | .id')
echo "Run ID that will be used to download artifacts from: $RUN_ID"
echo "RUN_ID=$RUN_ID" >> $GITHUB_OUTPUT
- name: Download all artifacts from last successful build of main branch
uses: dawidd6/[email protected]
id: download_artifacts_push
with:
# Download last successful artifact from a CI build
github_token: ${{ secrets.GITHUB_TOKEN }}
workflow: CI.yaml
run_id: ${{ steps.last_run_id.outputs.RUN_ID }}
# directory where to extract artifacts to
path: ./dist
- name: Upload manifests main build
uses: actions/upload-artifact@v3
if: ${{ github.event_name == 'schedule' }}
with:
name: manifests
path: |
./dist/*-manifest-test/
- name: Upload manifests user run
if: ${{ github.event_name != 'schedule' }}
uses: actions/upload-artifact@v3
with:
name: manifests
path: |
./dist/*-manifest-test/
- name: Upload images
uses: actions/upload-artifact@v3
with:
name: images
path: |
./dist/*-image.tar/
security-scans:
name: "Security Scans"
needs: prepare-security-scans
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
include:
- tool: "kics"
- tool: "kubeconform"
# renovate: datasource=github-releases depName=yannh/kubeconform
version: "v0.5.0"
- tool: "kubescape"
kubescape-framework: "nsa"
- tool: "kubescape"
kubescape-framework: "mitre"
- tool: "kubescape"
kubescape-framework: "ARMOBest"
steps:
- name: Set up Go
if: matrix.tool == 'kubeconform'
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
cache: false
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: 'true'
- name: Download manifest files
id: download_manifests
uses: actions/download-artifact@v3
with:
name: manifests
path: scans
- name: KICS Scan
if: matrix.tool == 'kics'
uses: Checkmarx/[email protected]
with:
path: scans
config_path: .github/kics-config.yml
fail_on: high,medium
output_formats: json,sarif
- name: Upload KICS results
if: always() && matrix.tool == 'kics'
uses: actions/upload-artifact@v3
with:
name: kics-results
path: results.json
- name: Kubeconform Scan
if: matrix.tool == 'kubeconform'
run: |
echo "::group::Kubeconform installation"
go install github.com/yannh/kubeconform/cmd/kubeconform@${{ matrix.version }}
echo "::endgroup::"
cd lifecycle-operator/config/default
sed -i 's/\- ..\/crd//' kustomization.yaml && kustomize build ./ > /tmp/lifecycle-operator-manifest.yaml
cd ../crd && kustomize build ./ > /tmp/crds.yaml
cd ../../../metrics-operator/config/default
sed -i 's/\- ..\/crd//' kustomization.yaml && kustomize build ./ > /tmp/metrics-operator-manifest.yaml
echo "---" >> /tmp/crds.yaml
cd ../crd && kustomize build ./ >> /tmp/crds.yaml
cd ../../../scheduler/manifests/install && kustomize build ./ > /tmp/scheduler-manifest.yaml
curl -s https://raw.githubusercontent.com/yannh/kubeconform/${{ matrix.version }}/scripts/openapi2jsonschema.py > /tmp/openapi2jsonschema.py
mkdir -p /tmp/schema && cd /tmp/schema
python3 ../openapi2jsonschema.py ../crds.yaml
cd .. && \
echo "---" >> lifecycle-operator-manifest.yaml && \
echo "---" >> scheduler-manifest.yaml && \
cat lifecycle-operator-manifest.yaml scheduler-manifest.yaml metrics-operator-manifest.yaml > manifest.yaml
kubeconform \
-schema-location default \
-schema-location './schema/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json' \
-schema-location \
'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cert-manager.io/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
-summary manifest.yaml
- name: Kubescape Scan
if: matrix.tool == 'kubescape'
env:
FAILURE_PERCENTAGE: 10
run: |
echo "::group::Kubescape installation"
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
export PATH=$PATH:/home/runner/.kubescape/bin
echo "::endgroup::"
# Docs on how to configure exceptions: https://hub.armosec.io/docs/exceptions
kubescape scan framework ${{ matrix.kubescape-framework }} \
-v -t ${{ env.FAILURE_PERCENTAGE }} \
--exceptions ./.github/.kubescape/exceptions.json \
--controls-config ./.github/.kubescape/controls-inputs.json scans \
--enable-color
trivy:
name: Trivy
runs-on: ubuntu-22.04
needs: prepare-security-scans
strategy:
fail-fast: false
matrix:
image:
- "deno-runtime"
- "python-runtime"
- "lifecycle-operator"
- "metrics-operator"
- "scheduler"
- "certificate-operator"
steps:
- name: Download images
id: download_images
uses: actions/download-artifact@v3
with:
name: images
path: images
- name: Trivy image scan
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
with:
input: "images/${{ matrix.image }}-image.tar/${{ matrix.image }}-image.tar"
severity: 'CRITICAL,HIGH'
exit-code: '1'
govulncheck:
name: Govulncheck
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
artifact:
- "lifecycle-operator"
- "metrics-operator"
- "scheduler"
- "klt-cert-manager"
steps:
- name: Set up Go 1.x
uses: actions/setup-go@v4
with:
cache-dependency-path: ${{ matrix.artifact }}/go.sum
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Checkout Code
uses: actions/checkout@v4
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Check for vulnerabilities
working-directory: ./${{ matrix.artifact }}
run: govulncheck ./...
create_issue:
name: Create GitHub Issue
runs-on: ubuntu-22.04
needs: [security-scans, govulncheck, trivy]
if: failure() && github.event_name == 'schedule'
steps:
- name: Formulate bug issue
id: formulate_bug_issue
run: |
# create a markdown file that contains details about the error
echo "---" > security-scan-failure.md
echo "title: 'Security Scan failed'" >> security-scan-failure.md
echo "labels: 'security'" >> security-scan-failure.md
echo "---" >> security-scan-failure.md
echo "" >> security-scan-failure.md
echo "* Link to run: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> security-scan-failure.md
if [[ $GITHUB_EVENT_NAME == 'schedule' ]]; then
echo "* Triggered by: Scheduled build" >> security-scan-failure.md
else
echo "* Triggered by: @$GITHUB_ACTOR" >> security-scan-failure.md
fi
echo "" >> security-scan-failure.md
echo "Note: This issue was auto-generated from [security-scan.yml](.github/workflows/security-scan.yml)" >> security-scan-failure.md
- name: Create issue if versions differ
uses: JasonEtco/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
filename: security-scan-failure.md