Merge pull request #8 from armosec/dev

Dev

.github/workflows/build.yaml

@@ -29,7 +29,6 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
       - uses: actions/checkout@v1
-
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
@@ -57,3 +56,33 @@ jobs:
           asset_path: build/${{ matrix.os }}/kubescape
           asset_name: kubescape-${{ matrix.os }}
           asset_content_type: application/octet-stream
+
+
+  build-docker:
+    name: Build docker container, tag and upload to registry
+    needs: build
+    if: ${{ github.repository == 'armosec/kubescape' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set name
+        run: echo quay.io/armosec/kubescape:v1.0.${{ github.run_number }} > build_tag.txt
+
+      - name: Build the Docker image
+        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
+
+      - name: Re-Tag Image to latest
+        run: docker tag $(cat build_tag.txt) quay.io/armosec/kubescape:latest
+
+      - name: Login to Quay.io
+        env: # Or as an environment variable
+          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+      - name: Push Docker image
+        run: |
+          docker push $(cat build_tag.txt)
+          docker push quay.io/armosec/kubescape:latest
+        

.github/workflows/build_dev.yaml

@@ -3,9 +3,6 @@ name: build-dev
 on:
   push:
     branches: [ dev ]
-  pull_request:
-    branches: [ dev ]
-    types: [ closed ]
 jobs:
   build:
     name: Create cross-platform dev build
@@ -38,3 +35,31 @@ jobs:
         with:
           name: kubescape-${{ matrix.os }}
           path: build/${{ matrix.os }}/kubescape 
+
+
+  build-docker:
+    name: Build docker container, tag and upload to registry
+    needs: build
+    if: ${{ github.repository == 'armosec/kubescape' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set name
+        run: echo quay.io/armosec/kubescape:dev-v1.0.${{ github.run_number }} > build_tag.txt
+
+      - name: Build the Docker image
+        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
+
+      - name: Login to Quay.io
+        env: # Or as an environment variable
+          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+
+      - name: Push Docker image
+        run: |
+          docker push $(cat build_tag.txt)
+    
+

README.md

@@ -3,9 +3,12 @@
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
 
-Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks:
+regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) .  
+Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time.
+Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
 
-Use Kubescape to test clusters or scan single YAML files and integrate it to your processes.
+</br>
 
 <img src="docs/demo.gif">
 
@@ -118,7 +121,7 @@ kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --form
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
 ```
 
-* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`  <img src="docs/new-feature.svg">
+* Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
 ```
 kubescape scan framework nsa --exceptions examples/exceptions.json
 ```

build/Dockerfile

@@ -1,13 +1,25 @@
 FROM golang:1.17-alpine as builder
-ENV GOPROXY=https://goproxy.io,direct
-ENV GO111MODULE=on
+#ENV GOPROXY=https://goproxy.io,direct
+ENV GO111MODULE=
+
+ENV CGO_ENABLED=0
+
+# Install required python/pip
+ENV PYTHONUNBUFFERED=1
+RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
+RUN python3 -m ensurepip
+RUN pip3 install --no-cache --upgrade pip setuptools
 
 WORKDIR /work
 ADD . .
-RUN GOOS=linux CGO_ENABLED=0 go build -ldflags="-s -w " -installsuffix cgo  -o kubescape .
+
+RUN python build.py
+
+RUN ls -ltr build/ubuntu-latest
+RUN cat /work/build/ubuntu-latest/kubescape.sha1
 
 FROM alpine
-COPY --from=builder /work/kubescape /usr/bin/kubescape
+COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
 
 # # Download the frameworks. Use the "--use-default" flag when running kubescape
 # RUN kubescape download framework nsa && kubescape download framework mitre