-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathaction.yml
More file actions
166 lines (157 loc) · 6.04 KB
/
action.yml
File metadata and controls
166 lines (157 loc) · 6.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: Kubescape
description: Run Kubescape scan
inputs:
failedThreshold:
description: |
Failure threshold is the percent above which the command fails and
returns exit code 1 (default 0 i.e, action fails if any control fails)
required: false
complianceThreshold:
description: |
Compliance threshold is the percent bellow which the command fails and
returns exit code 1 (example: if set to 100 the command will fail if any control fails)
required: false
severityThreshold:
description: |
Severity threshold is the severity of a failed control at or above which
the command terminates with an exit code 1 (default is "high", i.e. the
action fails if any High severity control fails)
required: false
default: high
files:
description: |
Path to the configuration yaml to scan
required: false
outputFile:
description: |
Name of the output file, without the extension.
Default is "results".
Kubescape adds the appropriate extension automatically to support both
single and multiple output formats.
required: false
verbose:
description: |
Display all of the input resources and not only failed resources
required: false
frameworks:
description: |
List of all frameworks to scan. Run kubescape list frameworks with
the Kubescape CLI to get a list of all frameworks. Either frameworks
have to be specified or controls.
required: false
controls:
description: |
List of all controls to scan. Run kubescape list controls with the
Kubescape CLI to get a list of all frameworks. Either frameworks
have to be specified or controls.
required: false
controlsConfig:
description: |
Path to the file containing controls configuration.
required: false
account:
description: |
Kubescape Portal client id.
Use for integrating with third-party servers.
required: false
accessKey:
description: |
Kubescape Portal accessKey.
Use for integrating with third-party servers.
required: false
server:
description: |
Kubescape Portal URL.
Use for integrating with third-party servers.
required: false
exceptions:
description: |
Path to the json file containing exceptions.
required: false
format:
description: |
Output format.
Can take one or more formats. To use one format, omit the comma, e.g
`format: json`. To produce results in multiple formats, separate them with
a comma: `format: sarif,json`.
For example, when using `output: "results"` and `format: "sarif,json"`,
Kubescape will produce 2 files: `results.sarif` and `results.json`. You
can then use `results.sarif` to publish results to Github Code Scanning
and `results.json` to suggest automatic fixes.
Run `kubescape scan -h` to see a list of supported formats.
required: false
default: junit
fixFiles:
description: |
Whether Kubescape will automatically fix files or not.
If enabled, Kubescape will make fixes to the input files. You can then
use these fixes to open Pull Requests from your CI/CD pipeline.
required: false
default: "false"
version:
description: |
The version of Kubescape to use.
Can be a specific version (e.g. "v3.0.21") or "latest".
required: true
default: latest
image:
description: |
An image to scan.
This option runs an image scan instead of the usual configuration scan.
Example: "nginx" or "bitnami/redis" or "quay.io/kubescape/kubescape"
required: false
registryUsername:
description: |
A username for a private registry that contains the image to be scanned.
required: false
registryPassword:
description: |
A password for a private registry that contains the image to be scanned.
required: false
runs:
using: 'composite'
steps:
- id: resolve_version
shell: bash
run: |
VERSION="${{ inputs.version }}"
if [ "$VERSION" = "latest" ]; then
VERSION=$(curl -s -H "Authorization: Bearer ${{ github.token }}" https://api.github.com/repos/kubescape/kubescape/releases/latest | jq -r .tag_name)
fi
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Build Kubescape container
shell: bash
run: |
docker build -t kubescape-action:${{ steps.resolve_version.outputs.version }} \
--build-arg KUBESCAPE_VERSION=${{ steps.resolve_version.outputs.version }} \
${{ github.action_path }}
- name: Run Kubescape scan
shell: bash
run: |
docker run --rm \
-e GITHUB_ACTIONS=true \
-e GITHUB_WORKSPACE=/github/workspace \
-e GITHUB_REPOSITORY=${{ github.repository }} \
-e GITHUB_REF=${{ github.ref }} \
-e GITHUB_SHA=${{ github.sha }} \
-v ${{ github.workspace }}:/github/workspace \
-w /github/workspace \
-e INPUT_FAILEDTHRESHOLD="${{ inputs.failedThreshold }}" \
-e INPUT_COMPLIANCETHRESHOLD="${{ inputs.complianceThreshold }}" \
-e INPUT_SEVERITYTHRESHOLD="${{ inputs.severityThreshold }}" \
-e INPUT_FILES="${{ inputs.files }}" \
-e INPUT_OUTPUTFILE="${{ inputs.outputFile }}" \
-e INPUT_VERBOSE="${{ inputs.verbose }}" \
-e INPUT_FRAMEWORKS="${{ inputs.frameworks }}" \
-e INPUT_CONTROLS="${{ inputs.controls }}" \
-e INPUT_CONTROLSCONFIG="${{ inputs.controlsConfig }}" \
-e INPUT_ACCOUNT="${{ inputs.account }}" \
-e INPUT_ACCESSKEY="${{ inputs.accessKey }}" \
-e INPUT_SERVER="${{ inputs.server }}" \
-e INPUT_EXCEPTIONS="${{ inputs.exceptions }}" \
-e INPUT_FORMAT="${{ inputs.format }}" \
-e INPUT_FIXFILES="${{ inputs.fixFiles }}" \
-e INPUT_IMAGE="${{ inputs.image }}" \
-e INPUT_REGISTRYUSERNAME="${{ inputs.registryUsername }}" \
-e INPUT_REGISTRYPASSWORD="${{ inputs.registryPassword }}" \
kubescape-action:${{ steps.resolve_version.outputs.version }}