Merge pull request #248 from FlowFuse/feat-misconfig-scan

Add scanning for misconfigurations
FlowFuse · Dec 21, 2023 · 63ee657 · 63ee657
2 parents c1e850f + 377a76a
commit 63ee657
Showing 1 changed file with 60 additions and 0 deletions.
diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
@@ -79,3 +79,63 @@ jobs:
       - name: Validate chart
         run: |
           helm template flowforge ./helm/flowforge | kubectl apply --validate=true -f -
+
+  scan:
+    name: Scan chart
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        tool:
+          - checkov
+          # temporary disabled due to https://github.com/zegl/kube-score/issues/559
+          # - kube-score
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+        with:
+          version: v3.13.2
+
+      - name: Template chart
+        run: |
+          helm template flowforge ./helm/flowforge > ${{ github.workspace }}/templated_chart.yaml
+    
+      - name: Scan chart with checkov
+        if: matrix.tool == 'checkov'
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: ${{ github.workspace }}
+          file: templated_chart.yaml
+          framework: kubernetes
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+          soft_fail: true
+
+      - name: Install kube-score
+        # temporary disabled due to https://github.com/zegl/kube-score/issues/559
+        if: false
+        uses: yokawasa/action-setup-kube-tools@v0.9.3
+        with:
+          setup-tools: "kube-score"
+          kube-score: '1.17.0'
+
+      - name: Scan chart with kube-score
+        # temporary disabled due to https://github.com/zegl/kube-score/issues/559
+        if: false
+        continue-on-error: true
+        run:
+          kube-score score ${{ github.workspace }}/templated_chart.yaml --output-format sarif > results.sarif
+
+      - name: "Upload SARIF file"
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif