fix: security pipeline (#1333)

Signed-off-by: odubajDT <ondrej.dubaj@dynatrace.com>
keptn · May 2, 2023 · 79e475c · 79e475c
1 parent 6f59a6c
commit 79e475c
Show file tree

Hide file tree

Showing 3 changed files with 129 additions and 2 deletions.
diff --git a/.github/.kubescape/exceptions.json b/.github/.kubescape/exceptions.json
@@ -79,6 +79,131 @@
         "controlID": "C-0036"
       }
     ]
+  },
+  {
+    "name": "coreDNS poisoning",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "ServiceAccount",
+          "name": "metrics-operator"
+        }
+      },
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "ServiceAccount",
+          "name": "lifecycle-operator"
+        }
+      },
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "ServiceAccount",
+          "name": "certificate-operator"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0037"
+        }
+    ]
+  },
+  {
+    "name": "data desctruction",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "ServiceAccount",
+          "name": "keptn-scheduler"
+        }
+      },
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "ServiceAccount",
+          "name": "lifecycle-operator"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0007"
+        }
+    ]
+  },
+  {
+    "name": "malicious webhooks",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "MutatingWebhookConfiguration",
+          "name": "lifecycle-mutating-webhook-configuration"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0039"
+        }
+    ]
+  },
+  {
+    "name": "server running 2222",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "Deployment",
+          "name": "lifecycle-operator"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0042"
+        }
+    ]
+  },
+  {
+    "name": "unsigned images",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "Deployment"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0237"
+        }
+    ]
   }
 ]
 
diff --git a/.github/kics-config.yml b/.github/kics-config.yml
@@ -8,6 +8,7 @@ exclude-queries:
   - 056ac60e-fe07-4acc-9b34-8e1d51716ab9 # ServiceAccount Allows Access Secrets
   - aee3c7d2-a811-4201-90c7-11c028be9a46 # Container Requests Not Equal To It's Limits
   - 8b36775e-183d-4d46-b0f7-96a6f34a723f # Missing AppArmor Profile
+  - 6b896afb-ca07-467a-b256-1a0077a1c08e # RBAC Wildcard In Rule
 
 exclude-results:
   # Similarity IDs can be found in the JSON result file of kics

diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
@@ -123,7 +123,7 @@ jobs:
 
       - name: KICS Scan
         if: matrix.tool == 'kics'
-        uses: Checkmarx/kics-github-action@v1.6
+        uses: Checkmarx/kics-github-action@v1.6.3
         with:
           path: scans
           config_path: .github/kics-config.yml
@@ -173,7 +173,8 @@ jobs:
           FAILURE_PERCENTAGE: 10
         run: |
           echo "::group::Kubescape installation"
-          curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
+          curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
+          export PATH=$PATH:/home/runner/.kubescape/bin
           echo "::endgroup::"
           # Docs on how to configure exceptions: https://hub.armosec.io/docs/exceptions
           kubescape scan framework ${{ matrix.kubescape-framework }} \