Skip to content

shiwwamm/Kubescape-github-action

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kubescape action

Run security scans on your Kubernetes manifests and Helm charts as a part of your CI using the Kubescape action. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA , MITRE ATT&CK®), software vulnerabilities.

Usage

Add the following step to your workflow configuration:

steps:
  - uses: actions/checkout@v2 
  - uses: kubescape/github-action@main
    with:
      files: kubernetes/*.yaml

Inputs

Name Description Required
files The YAML files/Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository. Yes
threshold Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) No (default 0)
framework The security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - nsa,devopsbest. Run kubescape list frameworks with the Kubescape CLI to get a list of all frameworks. Either frameworks have to be specified or controls. No
control The security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - Configured liveness probe,Pods in default namespace. Run kubescape list controls with the Kubescape CLI to get a list of all controls. The complete control name can be specified or the ID such as C-0001 can be specified. Either controls have to be specified or frameworks. No
args Additional arguments to the Kubescape CLI. The following arguments are supported -
  • -f, --format - Output format. Supported formats: "pretty-printer"/"json"/"junit"/"prometheus" (default "pretty-printer")
  • -o, --output - Output file. Print output to file and not stdout
  • -s, --silent - Silent progress messages
  • --verbose - Display all of the input resources and not only failed resources
  • --logger - Logger level. Supported: debug/info/success/warning/error/fatal (default "info")
No
exceptions The JSON file containing at least one resource and one policy. Refer exceptions docs for more info. Objects with exceptions will be presented as exclude and not fail. No

Examples

  • Standard
name: Scan YAML files with Kubescape
on: push

jobs:
  kubescape:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: kubescape/github-action@main
        with:
          files: "kubernetes-prod/*.yaml"
  • With arguments
name: Scan YAML files using Kubescape with additional arguments
on: push

jobs:
  kubescape:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: kubescape/github-action@main
        with:
          args: "--fail-threshold 90"
          files: "kubernetes-prod/*.yaml"
  • Specifying frameworks
name: Scan YAML files using Kubescape and against specific frameworks
on: push

jobs:
  kubescape:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: kubescape/github-action@main
        with:
          files: "kubernetes-prod/*.yaml"
          framework: |
            nsa,devopsbest
  • Specific controls
name: Scan YAML files using Kubescape and for specific controls
on: push

jobs:
  kubescape:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: kubescape/github-action@main
        with:
          files: "kubernetes-prod/*.yaml"
          control: |
            Configured liveness probe,Pods in default namespace,Bash/cmd inside container
  • Store the results in a file as an artifacts
name: Scan YAML files with Kubescape and store results as an artifact
on: push

jobs:
  kubescape:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: kubescape/github-action@main
        with:
          args: "--format junit --output results.xml"
          files: "kubernetes-prod/*.yaml"
          framework: nsa
      - name: Archive kubescape scan results
        uses: actions/upload-artifact@v2
        with:
          name: kubescape-scan-report
          path: results.xml
  • Exceptions
name: KubeScape-Exceptions
on: push

jobs:
  kubescape:
    runs-on: ubuntu-latest
    steps:
      - uses: action/checkout@master
      - uses: kubescape/github-action@main
        with:
          files: "kubernetes-prod/*.yaml"
          exceptions: exceptions/exclude-NSA-framework.json

License

About

GitHub action to run Kubescape scans

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 79.4%
  • Dockerfile 20.6%