Support for code reviews instead with PRs

.github/workflows/build.yaml

@@ -5,7 +5,7 @@ on:
     branches: [ main ]
     paths-ignore:
       - '**.md'
-      - '**/example.yaml'
+      - '**/example-*'
       - '*/examples/*'
 jobs:
 

.github/workflows/example-fix.yaml

@@ -0,0 +1,66 @@
+name: Suggest autofixes with Kubescape
+on: [push, pull_request_target]
+
+jobs:
+  kubescape-fix:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed only for "push" events
+      contents: write
+      # Needed for both "push" and "pull_request_target" events
+      pull-requests: write
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    - uses: actions/checkout@v3
+      if: github.event_name == 'pull_request_target'
+      with:
+        fetch-depth: 0
+        ref: ${{github.event.pull_request.head.ref}}
+        repository: ${{github.event.pull_request.head.repo.full_name}}
+    - name: Get changed files
+      id: changed-files
+      uses: tj-actions/changed-files@v35
+    - uses: kubescape/github-action@main
+      with:
+        files: ${{ steps.changed-files.outputs.all_changed_files }}
+        fixFiles: true
+        format: "sarif"
+    - uses: peter-evans/create-pull-request@v4
+      # Remember to allow GitHub Actions to create and approve pull requests
+      # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests
+      if: github.event_name != 'pull_request_target'
+      with:
+        add-paths: |
+          *.yaml
+        commit-message: "chore: fix K8s misconfigurations"
+        title: "[Kubescape] chore: fix K8s misconfigurations"
+        body: |
+          # What this PR changes
+
+          [Kubescape](https://github.com/kubescape/kubescape) has found misconfigurations in the targeted branch. This PR fixes the misconfigurations that have automatic fixes available.
+
+          You may still need to fix misconfigurations that do not have automatic fixes.
+        base: ${{ github.head_ref }}
+        branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }}
+        delete-branch: true
+    # # Alternatively, you can use reviewdog to replace the code-suggester
+    # - name: PR Suggester
+    #   if: github.event_name == 'pull_request_target'
+    #   uses: reviewdog/action-suggester@v1
+    #   with:
+    #     tool_name: Kubescape
+    - name: Clean up kubescape output
+      if: github.event_name == 'pull_request_target'
+      run: rm results.json results.sarif
+    - name: PR Suggester
+      if: github.event_name == 'pull_request_target'
+      uses: googleapis/code-suggester@v2
+      env:
+        ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        command: review
+        pull_number: ${{ github.event.pull_request.number }}
+        git_dir: '.'

.github/workflows/example-scan.yaml

@@ -0,0 +1,20 @@
+name: Kubescape scanning for misconfigurations
+on: [push, pull_request]
+jobs:
+  kubescape-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: kubescape/github-action@main
+      continue-on-error: true
+      with:
+        format: sarif
+        outputFile: results.sarif
+        # Kubescape cloud account ID
+        account: ${{secrets.KUBESCAPE_ACCOUNT}}
+        # # Optional - Scan a specific path. Default will scan all
+        # files: "examples/*.yaml"
+    - name: Upload Kubescape scan results to Github Code Scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: results.sarif

README.md

@@ -39,28 +39,44 @@ You can then see the results in the Pull Request that triggered the scan and the
 
 ### Automatically Suggest Fixes
 
-To make Kubescape automatically suggest fixes to your pushes and pull requests, use the following workflow:
+To make Kubescape automatically suggest fixes to your pushes (by opening new PRs) and pull requests (by code review), use the following workflow:
 
 ```yaml
 name: Suggest autofixes with Kubescape
-on: [pull_request]
+on: [push, pull_request_target]
+
 jobs:
   kubescape:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed only for "push" events
+      contents: write
+      # Needed for both "push" and "pull_request_target" events
+      pull-requests: write
+
     steps:
     - uses: actions/checkout@v3
       with:
         fetch-depth: 0
+    - uses: actions/checkout@v3
+      if: github.event_name == 'pull_request_target'
+      with:
+        fetch-depth: 0
+        ref: ${{github.event.pull_request.head.ref}}
+        repository: ${{github.event.pull_request.head.repo.full_name}}
     - name: Get changed files
       id: changed-files
-      uses: tj-actions/changed-files@v14.6
+      uses: tj-actions/changed-files@v35
     - uses: kubescape/github-action@main
       with:
         account: ${{secrets.KUBESCAPE_ACCOUNT}}
         files: ${{ steps.changed-files.outputs.all_changed_files }}
         fixFiles: true
         format: "sarif"
     - uses: peter-evans/create-pull-request@v4
+      # Remember to allow GitHub Actions to create and approve pull requests
+      # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests
+      if: github.event_name != 'pull_request_target'
       with:
         add-paths: |
           *.yaml
@@ -75,6 +91,24 @@ jobs:
         base: ${{ github.head_ref }}
         branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }}
         delete-branch: true
+    # # Alternatively, you can use reviewdog to replace the code-suggester below
+    # - name: PR Suggester
+    #   if: github.event_name == 'pull_request_target'
+    #   uses: reviewdog/action-suggester@v1
+    #   with:
+    #     tool_name: Kubescape
+    - name: Clean up kubescape output
+      if: github.event_name == 'pull_request_target'
+      run: rm -f results.json results.sarif
+    - name: PR Suggester
+      if: github.event_name == 'pull_request_target'
+      uses: googleapis/code-suggester@v2
+      env:
+        ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        command: review
+        pull_number: ${{ github.event.pull_request.number }}
+        git_dir: '.'
 ```
 
 Please note that since Kubescape provides automatic fixes only to the rendered YAML manifests, the workflow above will not produce correct fixes for Helm charts.