release v0.1.9

.github/workflows/.reusable-ci.yml

@@ -108,6 +108,7 @@ jobs:
     needs: [conditionals]
     permissions:
       actions: read
+      attestations: read
       checks: read
       contents: write
       deployments: read

.github/workflows/.reusable-compliance.yml

@@ -33,7 +33,7 @@ jobs:
           repo_token: ${{ secrets.SCORECARD_TOKEN }}
           publish_results: false  #TODO: reactivate when working again
       - name: Upload
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           sarif_file: results.sarif
 

.github/workflows/.reusable-sast.yml

@@ -48,7 +48,7 @@ jobs:
         run: bandit -r -f sarif -o bandit-results.sarif semgr8s/ --exit-zero
       - name: Upload
         if: inputs.output == 'sarif'
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           sarif_file: 'bandit-results.sarif'
 
@@ -99,22 +99,22 @@ jobs:
         shell: bash
       - name: Scan
         if: inputs.output == 'table'
-        uses: bridgecrewio/checkov-action@068bd0c37d4fc3fb29500a1c039da808ec60e560 # v12.2705.0
+        uses: bridgecrewio/checkov-action@11831674b6dff6f3ff258e9f08e570da00997860 # v12.2712.0
         with:
           skip_check: CKV_DOCKER_2
           output_format: cli
           soft_fail: false
       - name: Scan
         if: inputs.output == 'sarif'
-        uses: bridgecrewio/checkov-action@068bd0c37d4fc3fb29500a1c039da808ec60e560 # v12.2705.0
+        uses: bridgecrewio/checkov-action@11831674b6dff6f3ff258e9f08e570da00997860 # v12.2712.0
         with:
           skip_check: CKV_DOCKER_2
           output_file_path: console,checkov-results.sarif
           output_format: cli,sarif
           soft_fail: true
       - name: Upload
         if: inputs.output == 'sarif'
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           sarif_file: checkov-results.sarif
 
@@ -131,11 +131,11 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+      uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
       with:
         languages: 'python'
     - name: Analyze
-      uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+      uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
 
   hadolint:
     runs-on: ubuntu-latest
@@ -164,7 +164,7 @@ jobs:
           no-fail: true
           output-file: hadolint-results.sarif
       - name: Upload
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         if: inputs.output == 'sarif'
         with:
           sarif_file: 'hadolint-results.sarif'
@@ -197,7 +197,7 @@ jobs:
           format: sarif
           output-file: kubelinter-results.sarif
       - name: Upload
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         if: inputs.output == 'sarif'
         with:
           sarif_file: 'kubelinter-results.sarif'
@@ -247,7 +247,7 @@ jobs:
         if: inputs.output == 'sarif'
         run: semgrep ci --config=auto --suppress-errors --sarif --output=semgrep-results.sarif || exit 0
       - name: Upload
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         if: inputs.output == 'sarif'
         with:
           sarif_file: semgrep-results.sarif

.github/workflows/.reusable-unit-test.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Set up Docker buildx
-        uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
       - name: Build test image
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:

.github/workflows/nightly-build.yml

@@ -15,6 +15,7 @@ jobs:
     uses: ./.github/workflows/.reusable-ci.yml
     permissions:
       actions: read
+      attestations: read
       checks: write
       contents: write
       deployments: read

.github/workflows/nightly.yaml

@@ -24,6 +24,7 @@ jobs:
     uses: ./.github/workflows/.reusable-compliance.yml
     permissions:
       actions: read
+      attestations: read
       checks: read
       contents: write
       deployments: read

.github/workflows/pr.yml

@@ -16,6 +16,7 @@ jobs:
     uses: ./.github/workflows/.reusable-ci.yml
     permissions:
       actions: read
+      attestations: read
       checks: write
       contents: write
       deployments: read

.github/workflows/pr2main.yml

@@ -16,6 +16,7 @@ jobs:
     uses: ./.github/workflows/.reusable-ci.yml
     permissions:
       actions: read
+      attestations: read
       checks: write
       contents: write
       deployments: read

.github/workflows/push.yml

@@ -17,6 +17,7 @@ jobs:
     uses: ./.github/workflows/.reusable-ci.yml
     permissions:
       actions: read
+      attestations: read
       checks: write
       contents: write
       deployments: read

.github/workflows/tag.yml

@@ -16,6 +16,7 @@ jobs:
     uses: ./.github/workflows/.reusable-ci.yml
     permissions:
       actions: read
+      attestations: read
       checks: write
       contents: write
       deployments: read

Makefile

@@ -57,9 +57,7 @@ test:
 	@echo "####################"
 	-kubectl create -f tests/demo
 	@echo
-	-kubectl get pods -n test-semgr8s-passing
-	@echo
-	-kubectl get pods -n test-semgr8s-failing
+	-kubectl get pods -n test-semgr8s
 	@echo
 	-kubectl delete -f tests/demo
 

charts/semgr8s/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: semgr8s
 description: Semgrep-based Policy Controller for Kubernetes
 type: application
-version: "0.1.8"
-appVersion: "0.1.8"
+version: "0.1.9"
+appVersion: "0.1.9"
 keywords:
   - kubernetes
   - admission controller

charts/semgr8s/templates/webhook.yaml

@@ -31,7 +31,12 @@ webhooks:
       matchLabels:
         semgr8s/validation: enabled
     rules:
-      - apiGroups: [""]
+      - apiGroups:
+          - ""
+          - "apps"
+          - "batch"
+          - "networking.k8s.io"
+          - "rbac.authorization.k8s.io"
         resources:
           - "*"
         apiVersions:

pyproject.toml

@@ -8,10 +8,10 @@ readme = "README.md"
 [tool.poetry.dependencies]
 python = "^3.11"
 APScheduler = "3.10.4"
-Flask = "3.0.2"
+Flask = "3.0.3"
 gunicorn = "21.2.0"
 PyYAML = "6.0.1"
-semgrep = "1.67.0"
+semgrep = "1.68.0"
 jsonpatch = "1.33"
 cheroot = "10.0.0"
 

semgr8s/k8s_api.py

@@ -28,7 +28,7 @@ def request_kube_api(path: str):
     try:
         response = requests.get(url, verify=ca_path, headers=headers, timeout=30)
     except JSONDecodeError as err:
-        APP.logger.error("ERROR: Malformed k8s API response or resource yaml: %s", err)
+        APP.logger.error("Malformed k8s API response or resource yaml: %s", err)
         return {}
 
     response.raise_for_status()

semgr8s/updater.py

@@ -2,21 +2,28 @@
 Update cached rules from configmaps.
 """
 
-import logging
 import os
 
 from urllib.parse import urlencode
 
 from semgr8s.k8s_api import request_kube_api
+from semgr8s.app import APP
+
+RULESPATH = "/app/rules"
 
 
 def update_rules():
     """
     Request all rule configmaps from kubernetes api and store locally in semgrep format.
     """
-    logging.info("INFO: updateing rule set")
+    APP.logger.debug("Updating rule set")
 
     try:
+        old_rule_files = [
+            file
+            for file in os.listdir(RULESPATH)
+            if os.path.isfile(os.path.join(RULESPATH, file))
+        ]
         namespace = os.getenv("NAMESPACE", "default")
         query = {"labelSelector": "semgr8s/rule"}
 
@@ -28,8 +35,16 @@ def update_rules():
             data = list(item.get("data", {}).items())
             for datum in data:
                 file, content = datum
-                with open(f"/app/rules/{file}", "w", encoding="utf-8") as rule_file:
+                path = os.path.join(RULESPATH, file)
+                with open(path, "w", encoding="utf-8") as rule_file:
                     rule_file.write(content)
-                logging.info("INFO: updated %s rule", file)
+                APP.logger.debug("Updated %s rule", file)
+                try:
+                    old_rule_files.remove(file)
+                except ValueError:
+                    pass
+        for deprecated_rule in old_rule_files:
+            os.remove(os.path.join(RULESPATH, deprecated_rule))
+            APP.logger.info("Deleted %s rule", deprecated_rule)
     except Exception as err:  # pylint: disable=W0718
-        logging.error("Error updating rules: %s", err)
+        APP.logger.error("Updating rules failed unexpectedly: %s", err)