From 88fc5b24c436bd1d72fd0bd5c1227f348442a7a6 Mon Sep 17 00:00:00 2001 From: Christoph Hamsen Date: Fri, 5 Apr 2024 13:24:48 +0200 Subject: [PATCH 1/9] test: fix makefile tests --- Makefile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 5c6feff..f81c53d 100644 --- a/Makefile +++ b/Makefile @@ -57,9 +57,7 @@ test: @echo "####################" -kubectl create -f tests/demo @echo - -kubectl get pods -n test-semgr8s-passing - @echo - -kubectl get pods -n test-semgr8s-failing + -kubectl get pods -n test-semgr8s @echo -kubectl delete -f tests/demo From b9f8797538b78cea53231ea470247928c41b6391 Mon Sep 17 00:00:00 2001 From: Christoph Hamsen Date: Wed, 10 Apr 2024 14:52:02 +0200 Subject: [PATCH 2/9] feat: delete deprecated rules --- semgr8s/k8s_api.py | 2 +- semgr8s/updater.py | 25 ++++++++++++++++++++----- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/semgr8s/k8s_api.py b/semgr8s/k8s_api.py index a21d071..e466f1e 100644 --- a/semgr8s/k8s_api.py +++ b/semgr8s/k8s_api.py @@ -28,7 +28,7 @@ def request_kube_api(path: str): try: response = requests.get(url, verify=ca_path, headers=headers, timeout=30) except JSONDecodeError as err: - APP.logger.error("ERROR: Malformed k8s API response or resource yaml: %s", err) + APP.logger.error("Malformed k8s API response or resource yaml: %s", err) return {} response.raise_for_status() diff --git a/semgr8s/updater.py b/semgr8s/updater.py index 4297219..09a5b58 100644 --- a/semgr8s/updater.py +++ b/semgr8s/updater.py @@ -2,21 +2,28 @@ Update cached rules from configmaps. """ -import logging import os from urllib.parse import urlencode from semgr8s.k8s_api import request_kube_api +from semgr8s.app import APP + +RULESPATH = "/app/rules" def update_rules(): """ Request all rule configmaps from kubernetes api and store locally in semgrep format. """ - logging.info("INFO: updateing rule set") + APP.logger.debug("Updating rule set") try: + old_rule_files = [ + file + for file in os.listdir(RULESPATH) + if os.path.isfile(os.path.join(RULESPATH, file)) + ] namespace = os.getenv("NAMESPACE", "default") query = {"labelSelector": "semgr8s/rule"} @@ -28,8 +35,16 @@ def update_rules(): data = list(item.get("data", {}).items()) for datum in data: file, content = datum - with open(f"/app/rules/{file}", "w", encoding="utf-8") as rule_file: + path = os.path.join(RULESPATH, file) + with open(path, "w", encoding="utf-8") as rule_file: rule_file.write(content) - logging.info("INFO: updated %s rule", file) + APP.logger.debug("Updated %s rule", file) + try: + old_rule_files.remove(file) + except ValueError: + pass + for deprecated_rule in old_rule_files: + os.remove(os.path.join(RULESPATH, deprecated_rule)) + APP.logger.info("Deleted %s rule", deprecated_rule) except Exception as err: # pylint: disable=W0718 - logging.error("Error updating rules: %s", err) + APP.logger.error("Updating rules failed unexpectedly: %s", err) From bd598c41e9efc0bac60455f0136626a96267fb31 Mon Sep 17 00:00:00 2001 From: Christoph Hamsen Date: Wed, 10 Apr 2024 16:25:03 +0200 Subject: [PATCH 3/9] update: bump semgr8s version to v0.1.9 --- charts/semgr8s/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/semgr8s/Chart.yaml b/charts/semgr8s/Chart.yaml index e8b940e..f061dd1 100644 --- a/charts/semgr8s/Chart.yaml +++ b/charts/semgr8s/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: semgr8s description: Semgrep-based Policy Controller for Kubernetes type: application -version: "0.1.8" -appVersion: "0.1.8" +version: "0.1.9" +appVersion: "0.1.9" keywords: - kubernetes - admission controller From 69d87371044d963b6f53a0236bc887f9bcebe77b Mon Sep 17 00:00:00 2001 From: Christoph Hamsen Date: Fri, 12 Apr 2024 12:39:38 +0200 Subject: [PATCH 4/9] ci: add ci permissions for attestations read --- .github/workflows/.reusable-ci.yml | 1 + .github/workflows/pr.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/.reusable-ci.yml b/.github/workflows/.reusable-ci.yml index f62a841..2d7111f 100644 --- a/.github/workflows/.reusable-ci.yml +++ b/.github/workflows/.reusable-ci.yml @@ -108,6 +108,7 @@ jobs: needs: [conditionals] permissions: actions: read + attestations: read checks: read contents: write deployments: read diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index c67b311..3ed1f98 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -16,6 +16,7 @@ jobs: uses: ./.github/workflows/.reusable-ci.yml permissions: actions: read + attestations: read checks: write contents: write deployments: read From b585574f45ff225c9652fa7b18b3a927f90eb0c8 Mon Sep 17 00:00:00 2001 From: Christoph Hamsen Date: Fri, 12 Apr 2024 12:33:58 +0200 Subject: [PATCH 5/9] feat: refine webhook scope --- charts/semgr8s/templates/webhook.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/semgr8s/templates/webhook.yaml b/charts/semgr8s/templates/webhook.yaml index 0f1a836..6154609 100644 --- a/charts/semgr8s/templates/webhook.yaml +++ b/charts/semgr8s/templates/webhook.yaml @@ -31,7 +31,12 @@ webhooks: matchLabels: semgr8s/validation: enabled rules: - - apiGroups: [""] + - apiGroups: + - "" + - "apps" + - "batch" + - "networking.k8s.io" + - "rbac.authorization.k8s.io" resources: - "*" apiVersions: From e585bd85b10f03a89bc7a3d35df41a4ebc89f30e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 10:56:15 +0000 Subject: [PATCH 6/9] update: bump the pip-packages group with 2 updates (#167) --- poetry.lock | 20 ++++++++++---------- pyproject.toml | 4 ++-- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/poetry.lock b/poetry.lock index 7770959..44641ef 100644 --- a/poetry.lock +++ b/poetry.lock @@ -480,13 +480,13 @@ boltons = ">=20.0.0" [[package]] name = "flask" -version = "3.0.2" +version = "3.0.3" description = "A simple framework for building complex web applications." optional = false python-versions = ">=3.8" files = [ - {file = "flask-3.0.2-py3-none-any.whl", hash = "sha256:3232e0e9c850d781933cf0207523d1ece087eb8d87b23777ae38456e2fbe7c6e"}, - {file = "flask-3.0.2.tar.gz", hash = "sha256:822c03f4b799204250a7ee84b1eddc40665395333973dfb9deebfe425fefcb7d"}, + {file = "flask-3.0.3-py3-none-any.whl", hash = "sha256:34e815dfaa43340d1d15a5c3a02b8476004037eb4840b34910c6e21679d288f3"}, + {file = "flask-3.0.3.tar.gz", hash = "sha256:ceb27b0af3823ea2737928a4d99d125a06175b8512c445cbd9a9ce200ef76842"}, ] [package.dependencies] @@ -1672,16 +1672,16 @@ pbr = "*" [[package]] name = "semgrep" -version = "1.67.0" +version = "1.68.0" description = "Lightweight static analysis for many languages. Find bug variants with patterns that look like source code." optional = false python-versions = ">=3.8" files = [ - {file = "semgrep-1.67.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-any.whl", hash = "sha256:8afd362ff76f71f23ff57b9b0be10e7aa31a570757874b2a2efd368f57e7d5a3"}, - {file = "semgrep-1.67.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_10_14_x86_64.whl", hash = "sha256:c0c90e645bd1e870414efbbc997443176b3432aa7f2e48551f623edac2086bde"}, - {file = "semgrep-1.67.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_11_0_arm64.whl", hash = "sha256:00a35cf52c576ca6fa59d16513a6aacc50ddb4c1b397edcb8574db36f1521d84"}, - {file = "semgrep-1.67.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-musllinux_1_0_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c05b847200ae72200e47c30d0b11d6f130a88e2f7b83b75751fd3a3344fd3168"}, - {file = "semgrep-1.67.0.tar.gz", hash = "sha256:fbbc043c155e153be837fdf208063f3d7748934077968bc20b21efed502a2d6d"}, + {file = "semgrep-1.68.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-any.whl", hash = "sha256:c555b1527c8b9e654273c1e91da32483e96a2f10adf0b7aa290f9f4d239c6f9c"}, + {file = "semgrep-1.68.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_10_14_x86_64.whl", hash = "sha256:98d2c7d7511b9bb7ffce3a389a61e557af63508f5c8e39b0f3447df6d6971d72"}, + {file = "semgrep-1.68.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_11_0_arm64.whl", hash = "sha256:cd5b32abb9e35cd8ff658dd8917e8ee3d23f04d81fb690f90628fd8c4b6465a3"}, + {file = "semgrep-1.68.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-musllinux_1_0_aarch64.manylinux2014_aarch64.whl", hash = "sha256:34d34c299d69f87b4f4eaeb2256a27642e957a6c8ab2c8a0d9e922f1ed1ac1db"}, + {file = "semgrep-1.68.0.tar.gz", hash = "sha256:018383e8c3a101bbe2adb7417f7a773cb9c762358d31612616853df678eb99b7"}, ] [package.dependencies] @@ -1911,4 +1911,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p [metadata] lock-version = "2.0" python-versions = "^3.11" -content-hash = "c86e8bf0244779b362228da374f4b9097b47a64d232510f9ed75557a786869c8" +content-hash = "7623a37405112cd6e454acfae5e756f3b73a8d78bce19f7bc82a589a579d60d0" diff --git a/pyproject.toml b/pyproject.toml index b277806..62200bf 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,10 +8,10 @@ readme = "README.md" [tool.poetry.dependencies] python = "^3.11" APScheduler = "3.10.4" -Flask = "3.0.2" +Flask = "3.0.3" gunicorn = "21.2.0" PyYAML = "6.0.1" -semgrep = "1.67.0" +semgrep = "1.68.0" jsonpatch = "1.33" cheroot = "10.0.0" From 47326eb0c80f7a0ccf24e0db79fc2aad19128238 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 11:10:09 +0000 Subject: [PATCH 7/9] update: bump the gh-actions-packages group with 3 updates (#169) --- .github/workflows/.reusable-compliance.yml | 2 +- .github/workflows/.reusable-sast.yml | 18 +++++++++--------- .github/workflows/.reusable-unit-test.yml | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/.reusable-compliance.yml b/.github/workflows/.reusable-compliance.yml index 325a908..06e7e05 100644 --- a/.github/workflows/.reusable-compliance.yml +++ b/.github/workflows/.reusable-compliance.yml @@ -33,7 +33,7 @@ jobs: repo_token: ${{ secrets.SCORECARD_TOKEN }} publish_results: false #TODO: reactivate when working again - name: Upload - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: sarif_file: results.sarif diff --git a/.github/workflows/.reusable-sast.yml b/.github/workflows/.reusable-sast.yml index d980008..25041c2 100644 --- a/.github/workflows/.reusable-sast.yml +++ b/.github/workflows/.reusable-sast.yml @@ -48,7 +48,7 @@ jobs: run: bandit -r -f sarif -o bandit-results.sarif semgr8s/ --exit-zero - name: Upload if: inputs.output == 'sarif' - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: sarif_file: 'bandit-results.sarif' @@ -99,14 +99,14 @@ jobs: shell: bash - name: Scan if: inputs.output == 'table' - uses: bridgecrewio/checkov-action@068bd0c37d4fc3fb29500a1c039da808ec60e560 # v12.2705.0 + uses: bridgecrewio/checkov-action@11831674b6dff6f3ff258e9f08e570da00997860 # v12.2712.0 with: skip_check: CKV_DOCKER_2 output_format: cli soft_fail: false - name: Scan if: inputs.output == 'sarif' - uses: bridgecrewio/checkov-action@068bd0c37d4fc3fb29500a1c039da808ec60e560 # v12.2705.0 + uses: bridgecrewio/checkov-action@11831674b6dff6f3ff258e9f08e570da00997860 # v12.2712.0 with: skip_check: CKV_DOCKER_2 output_file_path: console,checkov-results.sarif @@ -114,7 +114,7 @@ jobs: soft_fail: true - name: Upload if: inputs.output == 'sarif' - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: sarif_file: checkov-results.sarif @@ -131,11 +131,11 @@ jobs: - name: Checkout repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Initialize CodeQL - uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: languages: 'python' - name: Analyze - uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 hadolint: runs-on: ubuntu-latest @@ -164,7 +164,7 @@ jobs: no-fail: true output-file: hadolint-results.sarif - name: Upload - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 if: inputs.output == 'sarif' with: sarif_file: 'hadolint-results.sarif' @@ -197,7 +197,7 @@ jobs: format: sarif output-file: kubelinter-results.sarif - name: Upload - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 if: inputs.output == 'sarif' with: sarif_file: 'kubelinter-results.sarif' @@ -247,7 +247,7 @@ jobs: if: inputs.output == 'sarif' run: semgrep ci --config=auto --suppress-errors --sarif --output=semgrep-results.sarif || exit 0 - name: Upload - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 if: inputs.output == 'sarif' with: sarif_file: semgrep-results.sarif diff --git a/.github/workflows/.reusable-unit-test.yml b/.github/workflows/.reusable-unit-test.yml index b018c7d..fbdcd98 100644 --- a/.github/workflows/.reusable-unit-test.yml +++ b/.github/workflows/.reusable-unit-test.yml @@ -21,7 +21,7 @@ jobs: - name: Checkout code uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Set up Docker buildx - uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Build test image uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: From b17ec40dc432137cbe16fa7a1514e91849598e50 Mon Sep 17 00:00:00 2001 From: Christoph Hamsen Date: Fri, 12 Apr 2024 13:14:16 +0200 Subject: [PATCH 8/9] ci: update all workflow permissions to attestations read --- .github/workflows/nightly-build.yml | 1 + .github/workflows/nightly.yaml | 1 + .github/workflows/pr2main.yml | 1 + .github/workflows/push.yml | 1 + .github/workflows/tag.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index fe6d438..749fa02 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -15,6 +15,7 @@ jobs: uses: ./.github/workflows/.reusable-ci.yml permissions: actions: read + attestations: read checks: write contents: write deployments: read diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index a49faf7..962eef5 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -24,6 +24,7 @@ jobs: uses: ./.github/workflows/.reusable-compliance.yml permissions: actions: read + attestations: read checks: read contents: write deployments: read diff --git a/.github/workflows/pr2main.yml b/.github/workflows/pr2main.yml index a04a6fa..c406cd1 100644 --- a/.github/workflows/pr2main.yml +++ b/.github/workflows/pr2main.yml @@ -16,6 +16,7 @@ jobs: uses: ./.github/workflows/.reusable-ci.yml permissions: actions: read + attestations: read checks: write contents: write deployments: read diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index e389a1f..fb79472 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -17,6 +17,7 @@ jobs: uses: ./.github/workflows/.reusable-ci.yml permissions: actions: read + attestations: read checks: write contents: write deployments: read diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 1405986..e9a5f54 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -16,6 +16,7 @@ jobs: uses: ./.github/workflows/.reusable-ci.yml permissions: actions: read + attestations: read checks: write contents: write deployments: read From d3c98875ea25edd11e692cdb626c8863bd2371ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 11:32:28 +0000 Subject: [PATCH 9/9] update: bump idna from 3.6 to 3.7 Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.6...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: indirect ... Signed-off-by: dependabot[bot] --- poetry.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index 44641ef..f4d7a6f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -558,13 +558,13 @@ tornado = ["tornado (>=0.2)"] [[package]] name = "idna" -version = "3.6" +version = "3.7" description = "Internationalized Domain Names in Applications (IDNA)" optional = false python-versions = ">=3.5" files = [ - {file = "idna-3.6-py3-none-any.whl", hash = "sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f"}, - {file = "idna-3.6.tar.gz", hash = "sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca"}, + {file = "idna-3.7-py3-none-any.whl", hash = "sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0"}, + {file = "idna-3.7.tar.gz", hash = "sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc"}, ] [[package]]