From 57fc153970221c95168019e9163b1f6f5d2a0e2d Mon Sep 17 00:00:00 2001 From: Nam Xuan Nguyen Date: Fri, 1 Apr 2022 17:37:22 +0300 Subject: [PATCH] Add kubesec to BMO --- .github/workflows/kubesec.yml | 58 +++++++++++++++++++++++++ template/sarif.tpl | 79 +++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 .github/workflows/kubesec.yml create mode 100644 template/sarif.tpl diff --git a/.github/workflows/kubesec.yml b/.github/workflows/kubesec.yml new file mode 100644 index 0000000000..10eaacdb08 --- /dev/null +++ b/.github/workflows/kubesec.yml @@ -0,0 +1,58 @@ +name: Kubesec +on: + push: + branches: [ main ] + schedule: + - cron: '30 7 * * 4' + +jobs: + setup: + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Collect all yaml + id: list_yaml + run: | + LIST_YAML="$(find * -type f -name '*.yaml')" + echo "::set-output name=value::$(IFS=$','; echo $LIST_YAML | jq -cnR '[inputs | select(length>0)]'; IFS=$'\n')" + outputs: + matrix: ${{ steps.list_yaml.outputs.value }} + + lint: + needs: [ setup ] + name: Kubesec + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + strategy: + matrix: + value: ${{ fromJson(needs.setup.outputs.matrix) }} + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: ${{ matrix.value }} + format: template + template: template/sarif.tpl + output: ${{ matrix.value }}.sarif + exit-code: "0" + + - name: Save result into a variable + id: save_result + run: echo "::set-output name=result::$(cat ${{ matrix.value }}.sarif | jq -c '.runs')" + + - name: Upload Kubesec scan results to GitHub Security tab + if: ${{ steps.save_result.outputs.result != '[]' }} + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ matrix.value }}.sarif diff --git a/template/sarif.tpl b/template/sarif.tpl new file mode 100644 index 0000000000..e2950946af --- /dev/null +++ b/template/sarif.tpl @@ -0,0 +1,79 @@ +{ + "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", + "version": "2.1.0", + "runs": [ + {{- $run_first := true }} + {{- range $report_index, $report := . }} + {{- if and $report.Valid (not (eq $report.Message "This resource kind is not supported by kubesec")) -}} + {{- if $run_first -}} + {{- $run_first = false -}} + {{ else -}} + , + {{- end }} + { + "tool": { + "driver": { + "name": "Kubesec", + "fullName": "Kubesec Kubernetes Resource Security Policy Validator", + "rules": [ + {{- $rule_first := true }} + {{- range .Rules }} + {{- if $rule_first -}} + {{- $rule_first = false -}} + {{ else -}} + , + {{- end }} + { + "id": "{{ .ID }}", + "shortDescription": { + "text": "{{ .Reason }}" + }, + "messageStrings": { + "selector": { + "text": {{ escapeString .Selector | printf "%q" }} + } + }, + "properties": { + "points": "{{ .Points }}" + } + } + {{- end -}} + ] + } + }, + "results": [ + {{- $result_first := true }} + {{- range $result_index, $res := joinSlices .Scoring.Advise .Scoring.Critical -}} + {{- if $result_first -}} + {{- $result_first = false -}} + {{ else -}} + , + {{- end }} + { + "ruleId": "{{ $res.ID }}", + "level": "warning", + "message": { + "text": {{ endWithPeriod $res.Reason | printf "%q" }}, + "properties": { + "score": "{{ $res.Points }}", + "selector": {{ escapeString $res.Selector | printf "%q" }} + } + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "{{ $report.FileName }}" + } + } + } + ] + } + {{- end -}} + ], + "columnKind": "utf16CodeUnits" + } + {{- end -}} + {{- end }} + ] +}