diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4ac9375..b571afb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -5,7 +5,7 @@ on: branches: [ main ] paths-ignore: - '**.md' - - '**/example.yaml' + - '**/example-*' - '*/examples/*' jobs: diff --git a/.github/workflows/example-fix.yaml b/.github/workflows/example-fix.yaml new file mode 100644 index 0000000..033c3cb --- /dev/null +++ b/.github/workflows/example-fix.yaml @@ -0,0 +1,66 @@ +name: Suggest autofixes with Kubescape +on: [push, pull_request_target] + +jobs: + kubescape-fix: + runs-on: ubuntu-latest + permissions: + # Needed only for "push" events + contents: write + # Needed for both "push" and "pull_request_target" events + pull-requests: write + + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: actions/checkout@v3 + if: github.event_name == 'pull_request_target' + with: + fetch-depth: 0 + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v35 + - uses: kubescape/github-action@main + with: + files: ${{ steps.changed-files.outputs.all_changed_files }} + fixFiles: true + format: "sarif" + - uses: peter-evans/create-pull-request@v4 + # Remember to allow GitHub Actions to create and approve pull requests + # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests + if: github.event_name != 'pull_request_target' + with: + add-paths: | + *.yaml + commit-message: "chore: fix K8s misconfigurations" + title: "[Kubescape] chore: fix K8s misconfigurations" + body: | + # What this PR changes + + [Kubescape](https://github.com/kubescape/kubescape) has found misconfigurations in the targeted branch. This PR fixes the misconfigurations that have automatic fixes available. + + You may still need to fix misconfigurations that do not have automatic fixes. + base: ${{ github.head_ref }} + branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }} + delete-branch: true + # # Alternatively, you can use reviewdog to replace the code-suggester + # - name: PR Suggester + # if: github.event_name == 'pull_request_target' + # uses: reviewdog/action-suggester@v1 + # with: + # tool_name: Kubescape + - name: Clean up kubescape output + if: github.event_name == 'pull_request_target' + run: rm results.json results.sarif + - name: PR Suggester + if: github.event_name == 'pull_request_target' + uses: googleapis/code-suggester@v2 + env: + ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + command: review + pull_number: ${{ github.event.pull_request.number }} + git_dir: '.' diff --git a/.github/workflows/example-scan.yaml b/.github/workflows/example-scan.yaml new file mode 100644 index 0000000..00dea49 --- /dev/null +++ b/.github/workflows/example-scan.yaml @@ -0,0 +1,20 @@ +name: Kubescape scanning for misconfigurations +on: [push, pull_request] +jobs: + kubescape-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + continue-on-error: true + with: + format: sarif + outputFile: results.sarif + # Kubescape cloud account ID + account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # Optional - Scan a specific path. Default will scan all + # files: "examples/*.yaml" + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/example.yaml b/.github/workflows/example.yaml deleted file mode 100644 index a7c9845..0000000 --- a/.github/workflows/example.yaml +++ /dev/null @@ -1,56 +0,0 @@ -name: Kubescape scanning for misconfigurations -on: [push, pull_request] -jobs: - kubescape: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: kubescape/github-action@main - continue-on-error: true - with: - format: sarif - outputFile: results.sarif - # Kubescape cloud account ID - account: ${{secrets.KUBESCAPE_ACCOUNT}} - # # Optional - Scan a specific path. Default will scan all - # files: "examples/*.yaml" - - name: Upload Kubescape scan results to Github Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif - ---- - -name: Suggest autofixes with Kubescape -on: [pull_request] -jobs: - kubescape: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v14.6 - - uses: kubescape/github-action@main - with: - account: ${{secrets.KUBESCAPE_ACCOUNT}} - files: ${{ steps.changed-files.outputs.all_changed_files }} - fixFiles: true - format: "sarif" - - uses: peter-evans/create-pull-request@v4 - with: - add-paths: | - *.yaml - commit-message: "chore: fix K8s misconfigurations" - title: "[Kubescape] chore: fix K8s misconfigurations" - body: | - # What this PR changes - - [Kubescape](https://github.com/kubescape/kubescape) has found misconfigurations in the targeted branch. This PR fixes the misconfigurations that have automatic fixes available. - - You may still need to fix misconfigurations that do not have automatic fixes. - base: ${{ github.head_ref }} - branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }} - delete-branch: true diff --git a/README.md b/README.md index 0226953..d21fbd3 100644 --- a/README.md +++ b/README.md @@ -39,21 +39,34 @@ You can then see the results in the Pull Request that triggered the scan and the ### Automatically Suggest Fixes -To make Kubescape automatically suggest fixes to your pushes and pull requests, use the following workflow: +To make Kubescape automatically suggest fixes to your pushes (by opening new PRs) and pull requests (by code review), use the following workflow: ```yaml name: Suggest autofixes with Kubescape -on: [pull_request] +on: [push, pull_request_target] + jobs: kubescape: runs-on: ubuntu-latest + permissions: + # Needed only for "push" events + contents: write + # Needed for both "push" and "pull_request_target" events + pull-requests: write + steps: - uses: actions/checkout@v3 with: fetch-depth: 0 + - uses: actions/checkout@v3 + if: github.event_name == 'pull_request_target' + with: + fetch-depth: 0 + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v14.6 + uses: tj-actions/changed-files@v35 - uses: kubescape/github-action@main with: account: ${{secrets.KUBESCAPE_ACCOUNT}} @@ -61,6 +74,9 @@ jobs: fixFiles: true format: "sarif" - uses: peter-evans/create-pull-request@v4 + # Remember to allow GitHub Actions to create and approve pull requests + # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests + if: github.event_name != 'pull_request_target' with: add-paths: | *.yaml @@ -75,6 +91,24 @@ jobs: base: ${{ github.head_ref }} branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }} delete-branch: true + # # Alternatively, you can use reviewdog to replace the code-suggester below + # - name: PR Suggester + # if: github.event_name == 'pull_request_target' + # uses: reviewdog/action-suggester@v1 + # with: + # tool_name: Kubescape + - name: Clean up kubescape output + if: github.event_name == 'pull_request_target' + run: rm -f results.json results.sarif + - name: PR Suggester + if: github.event_name == 'pull_request_target' + uses: googleapis/code-suggester@v2 + env: + ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + command: review + pull_number: ${{ github.event.pull_request.number }} + git_dir: '.' ``` Please note that since Kubescape provides automatic fixes only to the rendered YAML manifests, the workflow above will not produce correct fixes for Helm charts.