diff --git a/Dockerfile b/Dockerfile index 9a358518867..9fe4b56972b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ FROM alpine/terragrunt:1.8.4 as terragrunt FROM dotenvlinter/dotenv-linter:3.3.0 as dotenv-linter FROM ghcr.io/terraform-linters/tflint:v0.51.1 as tflint FROM ghcr.io/yannh/kubeconform:v0.6.6 as kubeconfrm +FROM alpine/helm:3.14.4 as helm FROM golang:1.22.3-alpine as golang FROM golangci/golangci-lint:v1.59.0 as golangci-lint FROM goreleaser/goreleaser:v1.26.2 as goreleaser @@ -259,6 +260,11 @@ COPY dependencies/google-java-format /google-java-format RUN --mount=type=secret,id=GITHUB_TOKEN /install-google-java-format.sh \ && rm -rfv /install-google-java-format.sh /google-java-format +################ +# Install Helm # +################ +COPY --from=helm /usr/bin/helm /usr/bin/ + # Copy Node tools COPY --from=npm-builder /node_modules /node_modules diff --git a/test/inspec/super-linter/controls/super_linter.rb b/test/inspec/super-linter/controls/super_linter.rb index 5037a3f817a..0f913de15cf 100644 --- a/test/inspec/super-linter/controls/super_linter.rb +++ b/test/inspec/super-linter/controls/super_linter.rb @@ -160,6 +160,7 @@ { linter_name: "goreleaser"}, { linter_name: "google-java-format", version_command: "java -jar /usr/bin/google-java-format --version"}, { linter_name: "hadolint"}, + { linter_name: "helm"}, # not used as linter, needed for checkov's helm framework { linter_name: "htmlhint"}, { linter_name: "isort"}, { linter_name: "jscpd"}, @@ -510,7 +511,8 @@ "/action/lib/.automation/.yaml-lint.yml", "/action/lib/.automation/phpcs.xml", "/action/lib/.automation/phpstan.neon", - "/action/lib/.automation/psalm.xml" + "/action/lib/.automation/psalm.xml", + "/usr/bin/helm", # needed for checkov's helm framework ] files.each do |item| diff --git a/test/linters/checkov/bad/bad_chart/Chart.yaml b/test/linters/checkov/bad/bad_chart/Chart.yaml new file mode 100644 index 00000000000..ce3f59c1101 --- /dev/null +++ b/test/linters/checkov/bad/bad_chart/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: bad_chart +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/linters/checkov/bad/bad_chart/templates/deployment.yaml b/test/linters/checkov/bad/bad_chart/templates/deployment.yaml new file mode 100644 index 00000000000..91c6fb6aa74 --- /dev/null +++ b/test/linters/checkov/bad/bad_chart/templates/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: test + template: + metadata: + labels: + app: test + spec: + serviceAccountName: {{ .Values.serviceAccount.name }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http diff --git a/test/linters/checkov/bad/bad_chart/values.yaml b/test/linters/checkov/bad/bad_chart/values.yaml new file mode 100644 index 00000000000..70bda6e84c6 --- /dev/null +++ b/test/linters/checkov/bad/bad_chart/values.yaml @@ -0,0 +1,14 @@ +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + tag: "" + +serviceAccount: + create: true + automount: true + name: "test" + +service: + port: 80 diff --git a/test/linters/checkov/good/good_chart/Chart.yaml b/test/linters/checkov/good/good_chart/Chart.yaml new file mode 100644 index 00000000000..460218a7adc --- /dev/null +++ b/test/linters/checkov/good/good_chart/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: good_chart +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/linters/checkov/good/good_chart/templates/deployment.yaml b/test/linters/checkov/good/good_chart/templates/deployment.yaml new file mode 100644 index 00000000000..c39318cf8bc --- /dev/null +++ b/test/linters/checkov/good/good_chart/templates/deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment + namespace: test +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: test + template: + metadata: + labels: + app: test + spec: + serviceAccountName: {{ .Values.serviceAccount.name }} + automountServiceAccountToken: {{ .Values.serviceAccount.automount }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@{{ .Values.image.digest }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/test/linters/checkov/good/good_chart/values.yaml b/test/linters/checkov/good/good_chart/values.yaml new file mode 100644 index 00000000000..56067f625fd --- /dev/null +++ b/test/linters/checkov/good/good_chart/values.yaml @@ -0,0 +1,36 @@ +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + tag: "" + digest: "bXlzdXBlcnNlY3JldGhpZGRlbnN0cmluZwo" + +serviceAccount: + create: true + automount: false + name: "test" + +podSecurityContext: + seccompProfile: + type: RuntimeDefault + +securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 10001 + +service: + port: 80 + +resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi