From d0e9bd8e6649c97555127e9dd7c613bed72f42b8 Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Wed, 19 Jul 2023 23:40:39 +0300 Subject: [PATCH 01/27] feat(imagescan): support image scanning This commit adds support for image scanning available in the latest Kubescape version. Signed-off-by: Vlad Klokun --- .github/workflows/example-scan-image.yaml | 22 +++++++++ Dockerfile | 3 +- action.yml | 16 +++++++ entrypoint.sh | 54 +++++++++++++++++++++-- 4 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/example-scan-image.yaml diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml new file mode 100644 index 0000000..25c2d46 --- /dev/null +++ b/.github/workflows/example-scan-image.yaml @@ -0,0 +1,22 @@ +name: Kubescape scanning for image vulnerabilities +on: [push, pull_request] +jobs: + kubescape-scan-image: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + with: + image: "nginx" + # # Username for a private registry with the image + # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} + # # Password for a private registry with the image + # registryPassword: ${{secrets.KUBESCAPE_REGISTRY_PASSWORD}} + # # Fail at or above the specified vulnerability severity threshold + # severityThreshold: "critical" + # Kubescape cloud account ID + # account: ${{secrets.KUBESCAPE_ACCOUNT}} diff --git a/Dockerfile b/Dockerfile index 4e55c9c..f5dd5ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ -FROM quay.io/kubescape/kubescape:v2.3.8 +# TODO(vladklokun): bump to a Kubescape version with image scanning support +FROM quay.io/kubescape/kubescape:CHANGEME # Kubescape uses root privileges for writing the results to a file USER root diff --git a/action.yml b/action.yml index c49bd04..91617db 100644 --- a/action.yml +++ b/action.yml @@ -79,6 +79,22 @@ inputs: use these fixes to open Pull Requests from your CI/CD pipeline. required: false default: "false" + image: + description: | + An image to scan. + + This option runs an image scan instead of the usual configuration scan. + + Example: "nginx" or "bitnami/redis" or "quay.io/kubescape/kubescape" + required: false + registryUsername: + description: | + A username for a private registry that contains the image to be scanned. + required: false + registryPassword: + description: | + A password for a private registry that contains the image to be scanned. + required: false runs: using: docker image: Dockerfile diff --git a/entrypoint.sh b/entrypoint.sh index 51a5c6a..0a948dc 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,7 +20,21 @@ set -e export KS_CLIENT="github_actions" if [ -n "${INPUT_FRAMEWORKS}" ] && [ -n "${INPUT_CONTROLS}" ]; then - echo "Framework and Control is specified. Please specify either one of them or neither" + echo "Framework and Control are specified. Please specify either one of them or neither" + exit 1 +fi + +if [ -n "${INPUT_FRAMEWORKS}" ] && [ -n "${INPUT_IMAGE}" ] || [ -n "${INPUT_CONTROLS}" ] && [ -n "${INPUT_IMAGE}" ] ; then + errmsg="Image and Framework / Control are specified. Kubescape does not support scanning both at the moment." + errmsg="${errmsg} Please specify either one of them or neither." + echo "${errmsg}" + exit 1 +fi + +if [ -n "${INPUT_IMAGE}" ] && [ "${INPUT_FIXFILES}" = "true" ]; then + errmsg="The run requests both an image scan and file fix suggestions. Kubescape does not support fixing image scan results at the moment." + errmsg="${errmsg} Please specify either one of them or neither." + echo "${errmsg}" exit 1 fi @@ -42,7 +56,7 @@ fi frameworks_cmd=$([ -n "${INPUT_FRAMEWORKS}" ] && echo "framework ${INPUT_FRAMEWORKS}" || echo "") controls_cmd=$([ -n "${INPUT_CONTROLS}" ] && echo control "${controls}" || echo "") -files=$([ -n "${INPUT_FILES}" ] && echo "${INPUT_FILES}" || echo .) +scan_input=$([ -n "${INPUT_FILES}" ] && echo "${INPUT_FILES}" || echo .) output_formats="${INPUT_FORMAT}" have_json_format="false" @@ -96,8 +110,42 @@ severity_threshold_opt=$( echo "" ) +# Handle image scanning request +image_subcmd="" +if [ -n "${INPUT_IMAGE}" ]; then + + # By default, assume we are not authenticated. This means we can pull public + # images from the container runtime daemon + image_arg="${INPUT_IMAGE}" + + severity_threshold_opt=$( + [ -n "${INPUT_SEVERITYTHRESHOLD}" ] && + echo --severity-threshold "${INPUT_SEVERITYTHRESHOLD}" || + echo "" + ) + + auth_opts="" + if [ -n "${INPUT_REGISTRYUSERNAME}" ] && [ -n "${INPUT_REGISTRYPASSWORD}" ]; then + auth_opts="--username=${INPUT_REGISTRYUSERNAME} --password=${INPUT_REGISTRYPASSWORD}" + + # When trying to authenticate, we cannot assume that the runner has access + # to an *authenticated* container runtime daemon, so we should always try + # to pull images from the registry + image_arg="registry://${image_arg}" + else + echo "NOTICE: Received no registry credentials, pulling without authentication." + printf "Hint: If you provide credentials, make sure you include both the username and password.\n\n" + fi + + # Build the image scanning subcommand with options + image_subcmd="image ${auth_opts}" + # Override the scan input + scan_input="${image_arg}" + echo "Scan subcommand: ${image_subcmd}" +fi + # TODO: include artifacts_opt once https://github.com/kubescape/kubescape/issues/1040 is resolved -scan_command="kubescape scan ${frameworks_cmd} ${controls_cmd} ${files} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls-config}" +scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls-config}" echo "${scan_command}" eval "${scan_command}" From fc084ddc8e31f174e232ed3e327b3195035bba28 Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Wed, 19 Jul 2023 23:52:20 +0300 Subject: [PATCH 02/27] docs(imagescan): document image scanning in the README Signed-off-by: Vlad Klokun --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/README.md b/README.md index a2af531..0c60bd0 100644 --- a/README.md +++ b/README.md @@ -132,6 +132,37 @@ Please note that since Kubescape provides automatic fixes only to the rendered Y The next important thing to note is that Kubescape only fixes the files. It does not open pull requests or generate code reviews on its own. +### Scanning images + +The Kubescape Github Action is also able to scan images. But you should be aware that image scanning cannot run in parallel with configuration scanning and file fixing at the moment. If you would like to run both image and configuration scanning, you should define at least two separate steps with the same action but different arguments: one for image scanning and the other for configuration scanning. + +To scan a container image with a Kubescape Github Action, use the following workflow definition, keeping in mind that you need to replace `image: "nginx"` with the appropriate image name: + +```yaml +name: Kubescape scanning for image vulnerabilities +on: [push, pull_request] +jobs: + kubescape-scan-image: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + with: + image: "nginx" + # # Username for a private registry with the image + # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} + # # Password for a private registry with the image + # registryPassword: ${{secrets.KUBESCAPE_REGISTRY_PASSWORD}} + # # Fail at or above the specified vulnerability severity threshold + # severityThreshold: "critical" + # Kubescape cloud account ID + # account: ${{secrets.KUBESCAPE_ACCOUNT}} +``` + ## Inputs | Name | Description | Required | @@ -146,6 +177,10 @@ The next important thing to note is that Kubescape only fixes the files. It does | verbose | Display all of the input resources and not only failed resources. Default is off | No | | exceptions | The JSON file containing at least one resource and one policy. Refer [exceptions](https://hub.armo.cloud/docs/exceptions) docs for more info. Objects with exceptions will be presented as exclude and not fail. | No | | controlsConfig | The file containing controls configuration. Use `kubescape download controls-inputs` to download the configured controls-inputs. | No | +| image | The image you wish to scan. Launches an image scan, which cannot run together with configuration scans. | No | +| registryUsername | Username to a private registry that hosts the scanned image. | No | +| registryPassword | Password to a private registry that hosts the scanned image. | No | + ## Examples From 4ab89ba2e0dd2db581c3bdfacbcdc7044b673292 Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Thu, 17 Aug 2023 14:20:03 +0300 Subject: [PATCH 03/27] chore(dockerfile): bump Kubescape version Signed-off-by: Vlad Klokun --- .github/workflows/example-scan-image.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 25c2d46..d910eeb 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -9,7 +9,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v3 - - uses: kubescape/github-action@main + - uses: kubescape/github-action@feat-image-scanning with: image: "nginx" # # Username for a private registry with the image diff --git a/Dockerfile b/Dockerfile index f5dd5ca..fc4053a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # TODO(vladklokun): bump to a Kubescape version with image scanning support -FROM quay.io/kubescape/kubescape:CHANGEME +FROM quay.io/kubescape/kubescape:v2.9.0 # Kubescape uses root privileges for writing the results to a file USER root From 438b69ed0b14202be9fd10f7b412f8ea958e08d8 Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Thu, 17 Aug 2023 14:54:16 +0300 Subject: [PATCH 04/27] fix(imagescan): base on a non-distroless image Previously we used a distroless image as a base. This image does not provide a shell, so we cannot run the `entrypoint.sh` script. This commit changes the Dockerfile to use a non-distroless base image so we can run the entry point script. Signed-off-by: Vlad Klokun --- .github/workflows/example-scan-image.yaml | 1 + Dockerfile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index d910eeb..2216574 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -12,6 +12,7 @@ jobs: - uses: kubescape/github-action@feat-image-scanning with: image: "nginx" + format: "pretty-printer" # # Username for a private registry with the image # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} # # Password for a private registry with the image diff --git a/Dockerfile b/Dockerfile index fc4053a..f16681f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # TODO(vladklokun): bump to a Kubescape version with image scanning support -FROM quay.io/kubescape/kubescape:v2.9.0 +FROM quay.io/kubescape/kubescape:v2.0.9-ghactions # Kubescape uses root privileges for writing the results to a file USER root From 9ac828328fc61af4d08ddab52f647d38a15e34eb Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Thu, 17 Aug 2023 15:02:46 +0300 Subject: [PATCH 05/27] wip: chore: remove controlsconfig to fix weird behavior Signed-off-by: Vlad Klokun --- entrypoint.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 0a948dc..6892313 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -13,9 +13,11 @@ contains() { *) return 1 ;; esac } +echo "INSIDE ENTRYPOINT" set -e + # Kubescape uses the client name to make a request for checking for updates export KS_CLIENT="github_actions" @@ -112,6 +114,7 @@ severity_threshold_opt=$( # Handle image scanning request image_subcmd="" +echo "image is <${INPUT_IMAGE}>" if [ -n "${INPUT_IMAGE}" ]; then # By default, assume we are not authenticated. This means we can pull public @@ -145,7 +148,7 @@ if [ -n "${INPUT_IMAGE}" ]; then fi # TODO: include artifacts_opt once https://github.com/kubescape/kubescape/issues/1040 is resolved -scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls-config}" +scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions}" echo "${scan_command}" eval "${scan_command}" From 19014e9c326c11c7c5322debd0bfb3506bdfba76 Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Thu, 17 Aug 2023 15:05:11 +0300 Subject: [PATCH 06/27] fix: try to fix the controls config Signed-off-by: Vlad Klokun --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 6892313..5429c0a 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -148,7 +148,7 @@ if [ -n "${INPUT_IMAGE}" ]; then fi # TODO: include artifacts_opt once https://github.com/kubescape/kubescape/issues/1040 is resolved -scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions}" +scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls_config}" echo "${scan_command}" eval "${scan_command}" From 152223a7015aa2b2703d876380dae1b8b641044e Mon Sep 17 00:00:00 2001 From: Vlad Klokun Date: Thu, 17 Aug 2023 15:06:51 +0300 Subject: [PATCH 07/27] chore: remove debugging echo command Signed-off-by: Vlad Klokun --- entrypoint.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 5429c0a..0e52907 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -13,11 +13,9 @@ contains() { *) return 1 ;; esac } -echo "INSIDE ENTRYPOINT" set -e - # Kubescape uses the client name to make a request for checking for updates export KS_CLIENT="github_actions" From 2ccea9e9f3ff56a533ad1b088ddc792eeb42a9d9 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Mon, 16 Oct 2023 13:13:21 +0300 Subject: [PATCH 08/27] update img Signed-off-by: Daniel Grunberger --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f16681f..769a039 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # TODO(vladklokun): bump to a Kubescape version with image scanning support -FROM quay.io/kubescape/kubescape:v2.0.9-ghactions +FROM quay.io/kubescape/kubescape:v2.9.2 # Kubescape uses root privileges for writing the results to a file USER root From ca353971bcb6d842190edd2a553ad55abf6d3399 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Mon, 16 Oct 2023 13:16:12 +0300 Subject: [PATCH 09/27] use latest release Signed-off-by: Daniel Grunberger --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 769a039..a5de772 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # TODO(vladklokun): bump to a Kubescape version with image scanning support -FROM quay.io/kubescape/kubescape:v2.9.2 +FROM quay.io/kubescape/kubescape:v2.9.1 # Kubescape uses root privileges for writing the results to a file USER root From afee5f0c94ba3651830697b2bcd322200fa44f09 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Mon, 16 Oct 2023 14:31:40 +0300 Subject: [PATCH 10/27] test with current branch Signed-off-by: Daniel Grunberger --- .github/workflows/example-fix-commit.yaml | 2 +- .github/workflows/example-fix-pr-review.yaml | 2 +- .github/workflows/example-scan.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/example-fix-commit.yaml b/.github/workflows/example-fix-commit.yaml index c97d65e..144c34a 100644 --- a/.github/workflows/example-fix-commit.yaml +++ b/.github/workflows/example-fix-commit.yaml @@ -17,7 +17,7 @@ jobs: - name: Get changed files id: changed-files uses: tj-actions/changed-files@v35 - - uses: kubescape/github-action@main + - uses: kubescape/github-action@feat-image-scanning with: account: ${{secrets.KUBESCAPE_ACCOUNT}} files: ${{ steps.changed-files.outputs.all_changed_files }} diff --git a/.github/workflows/example-fix-pr-review.yaml b/.github/workflows/example-fix-pr-review.yaml index 95d02ca..b509bc4 100644 --- a/.github/workflows/example-fix-pr-review.yaml +++ b/.github/workflows/example-fix-pr-review.yaml @@ -17,7 +17,7 @@ jobs: - name: Get changed files id: changed-files uses: tj-actions/changed-files@v35 - - uses: kubescape/github-action@main + - uses: kubescape/github-action@feat-image-scanning with: account: ${{secrets.KUBESCAPE_ACCOUNT}} files: ${{ steps.changed-files.outputs.all_changed_files }} diff --git a/.github/workflows/example-scan.yaml b/.github/workflows/example-scan.yaml index 77cc126..a94c32a 100644 --- a/.github/workflows/example-scan.yaml +++ b/.github/workflows/example-scan.yaml @@ -9,7 +9,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v3 - - uses: kubescape/github-action@main + - uses: kubescape/github-action@feat-image-scanning continue-on-error: true with: format: sarif From fdd2d3f7b2674f2fcefa82e9e845f3d4a1999932 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 10:39:16 +0300 Subject: [PATCH 11/27] update img Signed-off-by: Daniel Grunberger --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a5de772..0b9f71b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ -# TODO(vladklokun): bump to a Kubescape version with image scanning support -FROM quay.io/kubescape/kubescape:v2.9.1 +FROM quay.io/matthiasb_1/kubescape-cli # Kubescape uses root privileges for writing the results to a file USER root From b71cce6636e56251eb6f12ed6b64b6d44d45766f Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 12:02:51 +0300 Subject: [PATCH 12/27] busybox Signed-off-by: Daniel Grunberger --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 0e52907..2ace6ea 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/busybox/sh # Checks if `string` contains `substring`. # From 12ad3af64529df9fb7f053b4532095fd8f11c214 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 12:08:11 +0300 Subject: [PATCH 13/27] fix threshold Signed-off-by: Daniel Grunberger --- .github/workflows/example-scan-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 2216574..0b530b3 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -13,11 +13,11 @@ jobs: with: image: "nginx" format: "pretty-printer" + severityThreshold: "critical" # # Username for a private registry with the image # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} # # Password for a private registry with the image # registryPassword: ${{secrets.KUBESCAPE_REGISTRY_PASSWORD}} # # Fail at or above the specified vulnerability severity threshold - # severityThreshold: "critical" # Kubescape cloud account ID # account: ${{secrets.KUBESCAPE_ACCOUNT}} From f8ea0c9feb49990e9223470b03c9368108e1f97e Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 14:29:35 +0300 Subject: [PATCH 14/27] scan ks img Signed-off-by: Daniel Grunberger --- .github/workflows/example-scan-image.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 0b530b3..2a83af8 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -11,9 +11,9 @@ jobs: - uses: actions/checkout@v3 - uses: kubescape/github-action@feat-image-scanning with: - image: "nginx" + image: "quay.io/kubescape/kubescape" format: "pretty-printer" - severityThreshold: "critical" + # severityThreshold: "critical" # # Username for a private registry with the image # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} # # Password for a private registry with the image From 4c266fab9bcdca9a71c1064aa21eb976f17dd36d Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 15:56:38 +0300 Subject: [PATCH 15/27] use sarif Signed-off-by: Daniel Grunberger --- .github/workflows/example-scan-image.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 2a83af8..cbf3f61 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -11,8 +11,8 @@ jobs: - uses: actions/checkout@v3 - uses: kubescape/github-action@feat-image-scanning with: - image: "quay.io/kubescape/kubescape" - format: "pretty-printer" + image: quay.io/kubescape/kubescape + format: sarif # severityThreshold: "critical" # # Username for a private registry with the image # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} From f3262cd0f9b6d213c5abae557fa7b4d93c6fc36f Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 16:29:19 +0300 Subject: [PATCH 16/27] public to code scanning Signed-off-by: Daniel Grunberger --- .github/workflows/example-scan-image.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index cbf3f61..39009d6 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -21,3 +21,7 @@ jobs: # # Fail at or above the specified vulnerability severity threshold # Kubescape cloud account ID # account: ${{secrets.KUBESCAPE_ACCOUNT}} + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif From 77ebbf6367b3a1636568e2d740748c6982a0e284 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 16:34:33 +0300 Subject: [PATCH 17/27] add output file Signed-off-by: Daniel Grunberger --- .github/workflows/example-scan-image.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 39009d6..839ab84 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -13,6 +13,7 @@ jobs: with: image: quay.io/kubescape/kubescape format: sarif + outputFile: results.sarif # severityThreshold: "critical" # # Username for a private registry with the image # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} From 7eb9e116c66933f35bd1857a911b89b2cb210f60 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 16:37:58 +0300 Subject: [PATCH 18/27] continue on error Signed-off-by: Daniel Grunberger --- .github/workflows/example-scan-image.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 839ab84..7594066 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -10,6 +10,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@feat-image-scanning + continue-on-error: true with: image: quay.io/kubescape/kubescape format: sarif From 5a4f307e6aa1f2da95cca1422424afa87494df1a Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 17:06:40 +0300 Subject: [PATCH 19/27] try generic shell Signed-off-by: Daniel Grunberger --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 2ace6ea..9ae7034 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/busybox/sh +#!/usr/bin/env sh # Checks if `string` contains `substring`. # From f3abe9f3e5be74c4cb073aca2af091707b1a1588 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Tue, 17 Oct 2023 17:10:54 +0300 Subject: [PATCH 20/27] use busybox Signed-off-by: Daniel Grunberger --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 9ae7034..2ace6ea 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/busybox/sh # Checks if `string` contains `substring`. # From 0880b6260880154ba625fdb19df84defc9d6c933 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Thu, 19 Oct 2023 10:59:52 +0300 Subject: [PATCH 21/27] use ks cli img Signed-off-by: Daniel Grunberger --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0b9f71b..e648e24 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/matthiasb_1/kubescape-cli +FROM kubescape/kubescape-cli:v2.9.2 # Kubescape uses root privileges for writing the results to a file USER root From 2d8362ab4599f59848e6138ab53b13d14706354a Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Thu, 19 Oct 2023 11:02:00 +0300 Subject: [PATCH 22/27] fix img name Signed-off-by: Daniel Grunberger --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e648e24..f59a49f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM kubescape/kubescape-cli:v2.9.2 +FROM quay.io/kubescape/kubescape-cli:v2.9.2 # Kubescape uses root privileges for writing the results to a file USER root From 75580a3f28a6b196fc6b31e5af605be8bf46c94f Mon Sep 17 00:00:00 2001 From: Daniel Grunberger Date: Thu, 19 Oct 2023 11:17:10 +0300 Subject: [PATCH 23/27] pr for merge Signed-off-by: Daniel Grunberger --- .github/workflows/example-fix-commit.yaml | 2 +- .github/workflows/example-fix-pr-review.yaml | 2 +- .github/workflows/example-scan-image.yaml | 2 +- .github/workflows/example-scan.yaml | 2 +- README.md | 11 +++++++++-- 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/example-fix-commit.yaml b/.github/workflows/example-fix-commit.yaml index 144c34a..c97d65e 100644 --- a/.github/workflows/example-fix-commit.yaml +++ b/.github/workflows/example-fix-commit.yaml @@ -17,7 +17,7 @@ jobs: - name: Get changed files id: changed-files uses: tj-actions/changed-files@v35 - - uses: kubescape/github-action@feat-image-scanning + - uses: kubescape/github-action@main with: account: ${{secrets.KUBESCAPE_ACCOUNT}} files: ${{ steps.changed-files.outputs.all_changed_files }} diff --git a/.github/workflows/example-fix-pr-review.yaml b/.github/workflows/example-fix-pr-review.yaml index b509bc4..95d02ca 100644 --- a/.github/workflows/example-fix-pr-review.yaml +++ b/.github/workflows/example-fix-pr-review.yaml @@ -17,7 +17,7 @@ jobs: - name: Get changed files id: changed-files uses: tj-actions/changed-files@v35 - - uses: kubescape/github-action@feat-image-scanning + - uses: kubescape/github-action@main with: account: ${{secrets.KUBESCAPE_ACCOUNT}} files: ${{ steps.changed-files.outputs.all_changed_files }} diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 7594066..345cb7f 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -9,7 +9,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v3 - - uses: kubescape/github-action@feat-image-scanning + - uses: kubescape/github-action@main continue-on-error: true with: image: quay.io/kubescape/kubescape diff --git a/.github/workflows/example-scan.yaml b/.github/workflows/example-scan.yaml index a94c32a..77cc126 100644 --- a/.github/workflows/example-scan.yaml +++ b/.github/workflows/example-scan.yaml @@ -9,7 +9,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v3 - - uses: kubescape/github-action@feat-image-scanning + - uses: kubescape/github-action@main continue-on-error: true with: format: sarif diff --git a/README.md b/README.md index 0c60bd0..3319b85 100644 --- a/README.md +++ b/README.md @@ -151,16 +151,23 @@ jobs: steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main + continue-on-error: true with: - image: "nginx" + image: quay.io/kubescape/kubescape + format: sarif + outputFile: results.sarif + # severityThreshold: "critical" # # Username for a private registry with the image # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} # # Password for a private registry with the image # registryPassword: ${{secrets.KUBESCAPE_REGISTRY_PASSWORD}} # # Fail at or above the specified vulnerability severity threshold - # severityThreshold: "critical" # Kubescape cloud account ID # account: ${{secrets.KUBESCAPE_ACCOUNT}} + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ``` ## Inputs From 87d8cb577f017cce59edb3c3f8d07fc006ced05b Mon Sep 17 00:00:00 2001 From: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> Date: Thu, 19 Oct 2023 16:04:29 +0300 Subject: [PATCH 24/27] Update .github/workflows/example-scan-image.yaml Co-authored-by: David Wertenteil Signed-off-by: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> --- .github/workflows/example-scan-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 345cb7f..9753e32 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -19,7 +19,7 @@ jobs: # # Username for a private registry with the image # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} # # Password for a private registry with the image - # registryPassword: ${{secrets.KUBESCAPE_REGISTRY_PASSWORD}} + # registryPassword: ${{secrets.REGISTRY_PASSWORD}} # # Fail at or above the specified vulnerability severity threshold # Kubescape cloud account ID # account: ${{secrets.KUBESCAPE_ACCOUNT}} From 431688771a0c16280a83fbf9d30b6188a115b5c5 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> Date: Thu, 19 Oct 2023 16:04:47 +0300 Subject: [PATCH 25/27] Update README.md Co-authored-by: David Wertenteil Signed-off-by: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3319b85..8323eee 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,7 @@ jobs: outputFile: results.sarif # severityThreshold: "critical" # # Username for a private registry with the image - # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} + # registryUsername: ${{secrets.REGISTRY_USERNAME}} # # Password for a private registry with the image # registryPassword: ${{secrets.KUBESCAPE_REGISTRY_PASSWORD}} # # Fail at or above the specified vulnerability severity threshold From 5028862760ca636c877f0f587189bd5a0eaaf96f Mon Sep 17 00:00:00 2001 From: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> Date: Thu, 19 Oct 2023 16:04:54 +0300 Subject: [PATCH 26/27] Update README.md Co-authored-by: David Wertenteil Signed-off-by: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8323eee..9320852 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,7 @@ jobs: # # Username for a private registry with the image # registryUsername: ${{secrets.REGISTRY_USERNAME}} # # Password for a private registry with the image - # registryPassword: ${{secrets.KUBESCAPE_REGISTRY_PASSWORD}} + # registryPassword: ${{secrets.REGISTRY_PASSWORD}} # # Fail at or above the specified vulnerability severity threshold # Kubescape cloud account ID # account: ${{secrets.KUBESCAPE_ACCOUNT}} From 745ce65685d5c5d66615ed9f664f23189329af77 Mon Sep 17 00:00:00 2001 From: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> Date: Thu, 19 Oct 2023 16:05:15 +0300 Subject: [PATCH 27/27] Update .github/workflows/example-scan-image.yaml Co-authored-by: Vlad Klokun Signed-off-by: Daniel Grunberger <84905812+Daniel-GrunbergerCA@users.noreply.github.com> --- .github/workflows/example-scan-image.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml index 9753e32..31c6205 100644 --- a/.github/workflows/example-scan-image.yaml +++ b/.github/workflows/example-scan-image.yaml @@ -17,7 +17,8 @@ jobs: outputFile: results.sarif # severityThreshold: "critical" # # Username for a private registry with the image - # registryUsername: ${{secrets.KUBESCAPE_REGISTRY_USERNAME}} + # # Username for the image registry account you use to retrieve and scan images + # registryUsername: ${{secrets.SCANNER_REGISTRY_USERNAME}} # # Password for a private registry with the image # registryPassword: ${{secrets.REGISTRY_PASSWORD}} # # Fail at or above the specified vulnerability severity threshold