From a42202e24f979db04d996fd762548f722b65df9d Mon Sep 17 00:00:00 2001 From: odubajDT Date: Tue, 2 May 2023 08:46:10 +0200 Subject: [PATCH] fix: security pipeline Signed-off-by: odubajDT --- .github/.kubescape/exceptions.json | 125 +++++++++++++++++++++++++++ .github/kics-config.yml | 1 + .github/workflows/security-scans.yml | 5 +- 3 files changed, 129 insertions(+), 2 deletions(-) diff --git a/.github/.kubescape/exceptions.json b/.github/.kubescape/exceptions.json index ec626036ef..4f8ba7c4bc 100644 --- a/.github/.kubescape/exceptions.json +++ b/.github/.kubescape/exceptions.json @@ -79,6 +79,131 @@ "controlID": "C-0036" } ] + }, + { + "name": "coreDNS poisoning", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metrics-operator" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "lifecycle-operator" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "certificate-operator" + } + } + ], + "posturePolicies": [ + { + "controlID": "C-0037" + } + ] + }, + { + "name": "data desctruction", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "keptn-scheduler" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "lifecycle-operator" + } + } + ], + "posturePolicies": [ + { + "controlID": "C-0007" + } + ] + }, + { + "name": "malicious webhooks", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "lifecycle-mutating-webhook-configuration" + } + } + ], + "posturePolicies": [ + { + "controlID": "C-0039" + } + ] + }, + { + "name": "server running 2222", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "lifecycle-operator" + } + } + ], + "posturePolicies": [ + { + "controlID": "C-0042" + } + ] + }, + { + "name": "unsigned images", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment" + } + } + ], + "posturePolicies": [ + { + "controlID": "C-0237" + } + ] } ] diff --git a/.github/kics-config.yml b/.github/kics-config.yml index b7b9c673d1..58b36221fc 100644 --- a/.github/kics-config.yml +++ b/.github/kics-config.yml @@ -8,6 +8,7 @@ exclude-queries: - 056ac60e-fe07-4acc-9b34-8e1d51716ab9 # ServiceAccount Allows Access Secrets - aee3c7d2-a811-4201-90c7-11c028be9a46 # Container Requests Not Equal To It's Limits - 8b36775e-183d-4d46-b0f7-96a6f34a723f # Missing AppArmor Profile + - 6b896afb-ca07-467a-b256-1a0077a1c08e # RBAC Wildcard In Rule exclude-results: # Similarity IDs can be found in the JSON result file of kics diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml index 5113cf92f8..f06b74073e 100644 --- a/.github/workflows/security-scans.yml +++ b/.github/workflows/security-scans.yml @@ -123,7 +123,7 @@ jobs: - name: KICS Scan if: matrix.tool == 'kics' - uses: Checkmarx/kics-github-action@v1.6 + uses: Checkmarx/kics-github-action@v1.6.3 with: path: scans config_path: .github/kics-config.yml @@ -173,7 +173,8 @@ jobs: FAILURE_PERCENTAGE: 10 run: | echo "::group::Kubescape installation" - curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash + curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash + export PATH=$PATH:/home/runner/.kubescape/bin echo "::endgroup::" # Docs on how to configure exceptions: https://hub.armosec.io/docs/exceptions kubescape scan framework ${{ matrix.kubescape-framework }} \