kubescape / github-action Goto Github PK

GitHub action to run Kubescape scans

License: Apache License 2.0

Dockerfile 2.79% Shell 97.21%

github-actions kubernetes-security kubescape

github-action's Introduction

Kubescape action

Run security scans on your Kubernetes manifests and Helm charts as a part of your CI using the Kubescape action. Kubescape scans Kubernetes clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA , MITRE ATT&CK® and CIS Benchmark), software vulnerabilities.

Usage

Scanning with Kubescape

To scan your repository with Kubescape in your Github workflow, add the following steps to your workflow configuration:

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
    - uses: actions/checkout@v3
    - uses: kubescape/github-action@main
      continue-on-error: true
      with:
        format: sarif
        outputFile: results
        # # Optional: Specify the Kubescape Portal credentials 
        # account: ${{secrets.KUBESCAPE_ACCOUNT}}
        # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
        # server: ${{ vars.KUBESCAPE_SERVER }}
        # # Optional: Scan a specific path. Default will scan the whole repository
        # files: "examples/*.yaml"
    - name: Upload Kubescape scan results to Github Code Scanning
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results.sarif

This workflow definition scans your repository with Kubescape and publishes the results to Github. You can then see the results in the Pull Request that triggered the scan and the Security → Code scanning tab.

Automatically Suggest Fixes

To make Kubescape automatically suggest fixes to your pull requests by code review, use the following workflow:

name: Suggest autofixes with Kubescape for PR by reviews
on:
  pull_request_target:

jobs:
  kubescape-fix-pr-reviews:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        ref: ${{github.event.pull_request.head.ref}}
        repository: ${{github.event.pull_request.head.repo.full_name}}
    - name: Get changed files
      id: changed-files
      uses: tj-actions/changed-files@v35
    - uses: kubescape/github-action@main
      with:
        account: ${{secrets.KUBESCAPE_ACCOUNT}}
        accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
        server: ${{ vars.KUBESCAPE_SERVER }}
        files: ${{ steps.changed-files.outputs.all_changed_files }}
        fixFiles: true
        format: "sarif"
    - name: PR Suggester according to SARIF file
      if: github.event_name == 'pull_request_target'
      uses: HollowMan6/[email protected]
      with:
        file: 'results.sarif'
        level: warning

The above workflow works by collecting the SARIF (Static Analysis Results Interchange Format) file that kubescape generates. Then, with the help of HollowMan6/sarif4reviewdog, convert the SARIF file into RDFormat (Reviewdog Diagnostic Format) and generate reviews using Reviewdog.

You can also make Kubescape automatically suggest fixes for the pushes to your main branch by opening new PRs with the following workflow:

name: Suggest autofixes with Kubescape for direct commits by PR
on: 
  push:
    branches: [ main ]

jobs:
  kubescape-fix-commit:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
    - name: Get changed files
      id: changed-files
      uses: tj-actions/changed-files@v35
    - uses: kubescape/github-action@main
      with:
        account: ${{secrets.KUBESCAPE_ACCOUNT}}
        accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
        server: ${{ vars.KUBESCAPE_SERVER }}
        files: ${{ steps.changed-files.outputs.all_changed_files }}
        fixFiles: true
        format: "sarif"
    - uses: peter-evans/create-pull-request@v4
      # Remember to allow GitHub Actions to create and approve pull requests
      # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests
      if: github.event_name != 'pull_request_target'
      with:
        add-paths: |
          *.yaml
        commit-message: "chore: fix K8s misconfigurations"
        title: "[Kubescape] chore: fix K8s misconfigurations"
        body: |
          # What this PR changes

          [Kubescape](https://github.com/kubescape/kubescape) has found misconfigurations in the targeted branch. This PR fixes the misconfigurations that have automatic fixes available.

          You may still need to fix misconfigurations that do not have automatic fixes.
        base: ${{ github.head_ref }}
        branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }}
        delete-branch: true

The above workflow works by collecting the changes made directly to the original files. In the example above, a separate step that runs a different action opens the appropriate pull request. Due to how Github works, there are limitations on running and opening pull requests to forks. The action running in this step is maintained by its respective maintainers, and not the Kubescape team, so you should review its documentation when troubleshooting the process of triggering the workflow run and opening pull requests.

Please note that since Kubescape provides automatic fixes only to the rendered YAML manifests, the workflow above will not produce correct fixes for Helm charts.

The next important thing to note is that Kubescape only fixes the files. It does not open pull requests or generate code reviews on its own.

Scanning images

The Kubescape Github Action is also able to scan images. But you should be aware that image scanning cannot run in parallel with configuration scanning and file fixing at the moment. If you would like to run both image and configuration scanning, you should define at least two separate steps with the same action but different arguments: one for image scanning and the other for configuration scanning.

To scan a container image with a Kubescape Github Action, use the following workflow definition, keeping in mind that you need to replace image: "quay.io/kubescape/kubescape" with the appropriate image name:

name: Kubescape scanning for image vulnerabilities
on: [push, pull_request]
jobs:
  kubescape-scan-image:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
    - uses: actions/checkout@v3
    - uses: kubescape/github-action@main
      continue-on-error: true
      with:
        image: nginx
        format: sarif
        outputFile: results.sarif
        # severityThreshold: "critical"
        # # Username for a private registry with the image
        # registryUsername: ${{secrets.REGISTRY_USERNAME}}
        # # Password for a private registry with the image
        # registryPassword: ${{secrets.REGISTRY_PASSWORD}}
        # # Fail at or above the specified vulnerability severity threshold
        # Kubescape Portal credentials
        # account: ${{secrets.KUBESCAPE_ACCOUNT}}
        # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
        # server: ${{ vars.KUBESCAPE_SERVER }}
    - name: Upload Kubescape scan results to Github Code Scanning
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results.sarif

Inputs

Name	Description	Required
files	YAML files or Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository.	No (default is `.` which scans the whole repository)
outputFile	Name of the output file where the scan result will be stored without the extension.	No (default is `results`)
frameworks	Security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - `nsa,devopsbest`. Run `kubescape list frameworks` in the Kubescape CLI to get a list of all frameworks. Either frameworks have to be specified or controls.	No
controls	Security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - `Configured liveness probe,Pods in default namespace`. Run `kubescape list controls` in the Kubescape CLI to get a list of all controls. You can use either the complete control name or the control ID such as `C-0001` to specify the control you want use. You must specify either the control(s) or the framework(s) you want used in the scan.	No
account	account ID for integrating with a third-party server	No
accessKey	access-key for integrating with a third-party server	No
server	URL for integrating with a third-party server	No
failedThreshold	Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails)	No (default 0)
severityThreshold	Severity threshold is the severity of a failed control at or above which the command terminates with an exit code 1 (default is `high`, i.e. the action fails if any High severity control fails)	No
verbose	Display all of the input resources and not only failed resources. Default is off	No
exceptions	The JSON file containing at least one resource and one policy. Refer exceptions docs for more info. Objects with exceptions will be presented as exclude and not fail.	No
controlsConfig	The file containing controls configuration. Use `kubescape download controls-inputs` to download the configured controls-inputs.	No
image	The image you wish to scan. Launches an image scan, which cannot run together with configuration scans.	No
registryUsername	Username to a private registry that hosts the scanned image.	No
registryPassword	Password to a private registry that hosts the scanned image.	No

Examples

Scan and submit results to the Kubescape Cloud

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
    - uses: actions/checkout@v3
    - uses: kubescape/github-action@main
      continue-on-error: true
      with:
        format: sarif
        outputFile: results
        # Specify the Kubescape cloud account ID
        account: ${{secrets.KUBESCAPE_ACCOUNT}}
        accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
        server: ${{ vars.KUBESCAPE_SERVER }}
    - name: Upload Kubescape scan results to Github Code Scanning
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results.sarif

Scan specific file paths

Scan a spefic pathspec, for example examples/kubernetes-manifests/*.yaml:

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
    - uses: actions/checkout@v3
    - uses: kubescape/github-action@main
      continue-on-error: true
      with:
        format: sarif
        outputFile: results
        # Scan a specific path. Default will scan the whole repository
        files: "examples/kubernetes-manifests/*.yaml"
    - name: Upload Kubescape scan results to Github Code Scanning
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results.sarif

Scan against specific frameworks

Perform a Kubescape scan against a list of specific frameworks (NSA and MITRE in this example):

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v3
      - uses: kubescape/github-action@main
        continue-on-error: true
        with:
          format: sarif
          outputFile: results
          frameworks: |
            nsa,mitre
      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

Fail Kubescape scanning based on the percentage of failed controls

Scan a repository with Kubescape and fail the scanning step if the percent of failed controls is more than the specified failedThreshold:

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v3
      - uses: kubescape/github-action@main
        continue-on-error: false
        with:
          format: sarif
          outputFile: results
          failedThreshold: 50
      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

Fail Kubescape scanning based on maximum severity of a failed control

Scan a repository with Kubescape and fail the scanning step if the scan has found failed controls with severity of Medium and above:

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: action/checkout@v3
      - uses: kubescape/github-action@main
        continue-on-error: false
        with:
          format: sarif
          outputFile: results
          severityThreshold: medium
      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

github-action's People

Contributors

Stargazers

Watchers

Forkers

shiwwamm sd-13 mukulkolpe moshe-rappaport-ca lakshya8066 dwertent vladklokun suhasgumma oshratn theden fossabot rtalipov mmmmmmorty hollowmantest devopstoday11 avinashupadhya99 slashben kubernet-eajks

github-action's Issues

Add support for controls-config parameter

Kubescape cli supports the flag controls-config as a path to controls-inputs objects. However it is not available as an input in github-action. Adding this parameter will help to adjust the configurations for the controls instead of using exceptions.

Impossible to scan private image from Github registry

Hello, I can't scan a private image that is stored in ghcr.io.

I've verified the credentials.

Here is the pipeline:

name: Deploy to dev env

on:
  push:
    branches: ["dev"]
  pull_request:
    branches: ["dev"]

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      security-events: write
      actions: read
    steps:
      - uses: actions/checkout@v4

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: kubescape/github-action@main
        continue-on-error: true
        with:
          image: ghcr.io/beltsecurity/fleet-qc:dev
          format: sarif
          outputFile: results.sarif
          registryUsername: ${{ github.actor }}
          registryPassword: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ghcr.io/beltsecurity/fleet-qc:dev

The pipeline step kubescape/github-action@main outputs the following error:

Error: unable to load image: unable to use OciRegistry source: failed to get image descriptor from registry: GET https://auth.docker.io/token?scope=repository%3A%2F%2Fghcr.io%2Fbeltsecurity%2Ffleet-qc%3Apull&service=registry.docker.io: unexpected status code 401 Unauthorized: {"details":"incorrect username or password"}

I think that URL of the targeted registry is wrong.

Empty sarif

I'm running the GH action against some helm charts where I get critical to low results as expected. The whole pipeline works but I don't see any result in CodeScan on that branch and if I try to print the sarif, it looks empty.

Please find below my pipeline as well as an extract of the logs

name: Lint and Test Charts

on:
  push:
    branches:
      - mystuff
jobs:
  lint-test:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Helm
        uses: azure/[email protected]
        with:
          version: v3.12.0
      - uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: Set up chart-testing
        uses: helm/[email protected]
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --config .github/linters/ct.yaml)
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> $GITHUB_OUTPUT
          fi
      - name: Run chart-testing (lint)
        run: ct lint --config .github/linters/ct.yaml --validate-maintainers=false
      - uses: kubescape/github-action@main
        #continue-on-error: true
        with:
          format: sarif
          outputFile: results
          files: "helm/mychart"
          verbose: true
          severityThreshold: critical   
      - name: print results
        run: |
          cat results.sarif
      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

image is <>
kubescape scan    helm/feltboard-ghostbuster   --severity-threshold critical --format sarif --output results --verbose  
{"level":"info","ts":"[20](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:21)23-10-23T14:46:45Z","msg":"Kubescape scanner initializing"}
{"level":"warn","ts":"2023-10-23T14:46:46Z","msg":"current version 'v2.9.2' is not updated to the latest release: 'v3.0.0'"}
{"level":"info","ts":"20[23](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:24)-10-23T14:46:47Z","msg":"Initialized scanner"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loading policies"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loaded policies"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loading exceptions"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loaded exceptions"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loading account configurations"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loaded account configurations"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Accessing local objects"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Done accessing local objects"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Scanning GitLocal"}
{"level":"info","ts":"2023-10-23T14:46:48Z","msg":"Done scanning GitLocal"}
{"level":"info","ts":"2023-10-23T14:46:48Z","msg":"Done aggregating results"}

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

################################################################################
Source: helm/feltboard-ghostbuster/templates/cronjob.yaml
ApiVersion: batch/v1
Kind: CronJob
Name: -feltboard-ghostbuster

Controls: [29](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:30) (Failed: 13, action required: 2)

┌──────────┬────────────────────────────────┬────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Severity │ Control Name                   │ Docs                               │ Assisted Remediation                                                                              │
├──────────┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ High     │ Resource limits                │ https://hub.armosec.io/docs/c-0009 │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE                 │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE              │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Resources CPU limit and        │ https://hub.armosec.io/docs/c-0050 │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE                 │
│          │ request                        │                                    │ spec.jobTemplate.spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE               │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Resources memory limit and     │ https://hub.armosec.io/docs/c-0004 │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE              │
│          │ request                        │                                    │ spec.jobTemplate.spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE            │
├──────────┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Low      │ Configured readiness probe     │ https://hub.armosec.io/docs/c-0018 │ spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE                       │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Immutable container filesystem │ https://hub.armosec.io/docs/c-0017 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true     │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ K8s common labels usage        │ https://hub.armosec.io/docs/c-0077 │ metadata.labels[app.kubernetes.io/name]=YOUR_VALUE                                                │
│          │                                │                                    │ spec.jobTemplate.spec.template.metadata.labels[app.kubernetes.io/name]=YOUR_VALUE                 │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Label usage for resources      │ https://hub.armosec.io/docs/c-0076 │ metadata.labels[app]=YOUR_VALUE                                                                   │
│          │                                │                                    │ spec.jobTemplate.spec.template.metadata.labels[app]=YOUR_VALUE                                    │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Pods in default namespace      │ https://hub.armosec.io/docs/c-0061 │ metadata.namespace=YOUR_NAMESPACE                                                                 │
├──────────┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Medium   │ Allow privilege escalation     │ https://hub.armosec.io/docs/c-0016 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false  │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Configured liveness probe      │ https://hub.armosec.io/docs/c-0056 │ spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE                        │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Ingress and Egress blocked     │ https://hub.armosec.io/docs/c-00[30](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:31) │                                                                                                   │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Linux hardening                │ https://hub.armosec.io/docs/c-0055 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE       │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE       │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Non-root containers            │ https://hub.armosec.io/docs/c-0013 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true               │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false  │
└──────────┴────────────────────────────────┴────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────┘
{"level":"info","ts":"2023-10-23T14:46:48Z","msg":"Scan results saved","filename":"results.sarif"}


Controls: 48 (Failed: 13, Passed: [33](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:34), Action Required: 2)
Failed Resources by Severity: Critical — 0, High — 3, Medium — 5, Low — 5

Run cat results.sarif
{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "informationUri": "https://armosec.io/",
          "name": "kubescape",
          "rules": []
        }
      },
      "results": []
    }
  ]
}

Run github/codeql-action/upload-sarif@v2
  
Uploading results
  Processing sarif files: ["results.sarif"]
  Uploading results
  Successfully uploaded results
Waiting for processing to finish
  Analysis upload status is pending.
  Analysis upload status is complete.

[Enhancement] Add parameter for exceptions

Currently, exceptions are supported as args. It needs to be a separate parameter since it plays a central role for the user.

Create parameter for exceptions and set it to optional
Update docs with example and remove exceptions from the args list in the docs
The exceptions provided through the parameter should be placed after the flags passed through args during the execution in the script.

request for creating a Kubescape GitLab job

I was trying to run Kubescape in Gitlab cicd and followed the instructions https://hub.armosec.io/docs/gitlab but failed. Can we create Gitlab actions so we can use it in a pipline for scanning and possible send out scan results with mail?

not listed in GitHub directory

When I go to "Code Scanning" in a new GitHub repo and try and enable Kubescape there, it's not listed.

https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace suggests the required steps to get into their marketplace.

Update release of GHA action

Workflow fails because of the bugs in the latest version of kubescape/github-action. The bugs are already fixed for the basic Kubescape repo in issues kubescape/kubescape#1271 and kubescape/kubescape#1255 but for now the fixes are not yet implemented in Kubescape action.

name: Suggest autofixes with Kubescape for PR by reviews
on:
  pull_request_target:

jobs:
  kubescape-fix-pr-reviews:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        ref: ${{github.event.pull_request.head.ref}}
        repository: ${{github.event.pull_request.head.repo.full_name}}
    - name: Get changed files
      id: changed-files
      uses: tj-actions/changed-files@v35
    - uses: kubescape/github-action@main
      with:
        account: ${{secrets.KUBESCAPE_ACCOUNT}}
        files: ${{ steps.changed-files.outputs.all_changed_files }}
        fixFiles: true
        format: "sarif"
    - name: PR Suggester according to SARIF file
      if: github.event_name == 'pull_request_target'
      uses: HollowMan6/[email protected]
      with:
        file: 'results.sarif'
        level: warning

[Feature] Add support for repository scanning

Kubescape supports scanning entire repositories - https://hub.armosec.io/docs/repository-scanning

The GitHub action should support an option for scanning the entire repository.

The feature should be through a mandatory input - scanRepository, which should accept yes or no.
If the input is set to yes, the value for the accountGUID needs to be provided as an input. The input accountGUID should be an optional input and validated only if the input scanRepository is set to yes.
If the input scanRepository is not set to yes, the current functionality of the action should be performed. If not, the repository scan should be performed and the results should be sent to the SaaS platform.
The updates should be documented in the README with examples.

Reach out in the Kubescape Discord Server in the github-action-development channel or leave a comment on this issue for details/help/interest.

framework 'cis' not found after v2.3.6

hi,

while investigating an issue specific to the exclusion of "controlID": "C-0211" against v2.3.0 I attempted to version bump to latest. Below are the outputs against an empty repo. This seems to match my experience on a Github Enterprise installation where I cannot share logs from.

tldr: is cis framework deliberately removed?

thanks!

Below: logs from github actions runs on github.com. Repo is empty except for a README.md and the workflow.yml

Run kubescape/[email protected]
/usr/bin/docker run --name ed93b97cd4d43f6b4e18b60f3be1da10a8f7_5ca950 --label 47ed93 --workdir /github/workspace --rm -e "INPUT_FORMAT" -e "INPUT_OUTPUTFILE" -e "INPUT_FRAMEWORKS" -e "INPUT_FAILEDTHRESHOLD" -e "INPUT_SEVERITYTHRESHOLD" -e "INPUT_FILES" -e "INPUT_VERBOSE" -e "INPUT_CONTROLS" -e "INPUT_CONTROLSCONFIG" -e "INPUT_ACCOUNT" -e "INPUT_EXCEPTIONS" -e "INPUT_FIXFILES" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/kubescape/kubescape":"/github/workspace" 47ed93:b97cd4d43f6b4e18b60f3be1da10a8f7
kubescape scan framework cis  .   --severity-threshold high --format sarif --format-version v2 --output results   config
{"level":"info","ts":"2023-11-28T18:12:31Z","msg":"Kubescape scanner starting"}
{"level":"warn","ts":"2023-11-28T18:12:32Z","msg":"current version 'v2.3.0' is not updated to the latest release: 'v3.0.0'"}
{"level":"info","ts":"2023-11-28T18:12:32Z","msg":"Downloading/Loading policy definitions"}
{"level":"info","ts":"2023-11-28T18:12:32Z","msg":"Downloaded/Loaded policy"}
{"level":"info","ts":"2023-11-28T18:12:32Z","msg":"Accessing local objects"}
{"level":"error","ts":"2023-11-28T18:12:32Z","msg":"no files found to scan","input":"config"}
{"level":"info","ts":"2023-11-28T18:12:32Z","msg":"Done accessing local objects"}
{"level":"info","ts":"2023-11-28T18:12:32Z","msg":"Scanning GitLocal"}
{"level":"info","ts":"2023-11-28T18:12:32Z","msg":"Done scanning GitLocal"}

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Controls: 121 (Failed: 0, Passed: 121, Action Required: 0)
Failed Resources by Severity: Critical — 0, High — 0, Medium — 0, Low — 0

+----------+-------------------------------------------------------+------------------+---------------+--------------------+
| SEVERITY |                     CONTROL NAME                      | FAILED RESOURCES | ALL RESOURCES | % COMPLIANCE-SCORE |
+----------+-------------------------------------------------------+------------------+---------------+--------------------+
| High     | CIS-1.1.11 Ensure that the etcd data directory per... |        0         |       0       |        -1%         |

<snip>


#############################################
#############################################
#############################################
#############################################
#############################################

Run kubescape/[email protected]
  
/usr/bin/docker run --name ed9323ba5cbca7844f3b8f18588c1719fde3_e08448 --label 47ed93 --workdir /github/workspace --rm -e "INPUT_FORMAT" -e "INPUT_OUTPUTFILE" -e "INPUT_FRAMEWORKS" -e "INPUT_FAILEDTHRESHOLD" -e "INPUT_SEVERITYTHRESHOLD" -e "INPUT_FILES" -e "INPUT_VERBOSE" -e "INPUT_CONTROLS" -e "INPUT_CONTROLSCONFIG" -e "INPUT_ACCOUNT" -e "INPUT_EXCEPTIONS" -e "INPUT_FIXFILES" -e "INPUT_IMAGE" -e "INPUT_REGISTRYUSERNAME" -e "INPUT_REGISTRYPASSWORD" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/kubescape/kubescape":"/github/workspace" 47ed93:23ba5cbca7844f3b8f18588c1719fde3
image is <>
kubescape scan  framework cis  .   --severity-threshold high --format sarif --output results   
{"level":"info","ts":"2023-11-28T18:13:36Z","msg":"Kubescape scanner initializing"}
{"level":"warn","ts":"2023-11-28T18:13:37Z","msg":"current version 'v2.9.2' is not updated to the latest release: 'v3.0.0'"}
{"level":"info","ts":"2023-11-28T18:13:37Z","msg":"Initialized scanner"}
{"level":"info","ts":"2023-11-28T18:13:37Z","msg":"Loading policies"}
{"level":"fatal","ts":"2023-11-28T18:13:37Z","msg":"framework 'cis' not found"}
<snip>

Create a tag for the Github action

We should have an workflow which automatically creates a release for PRs merged with the release label, and not use the main branch on the action.

Reference: https://github.com/actions/toolkit/blob/main/docs/action-versioning.md

On top of that, the image should be build once per tag and not on every run

issue: Fail threshold input name is inconsistent with Kubescape CLI flag name

Origin.
Kubescape defines a --fail-threshold flag, but the Action’s input is called failedThreshold. I think we should change the input name to match the CLI flag to failThreshold.

GH action not failing

Hi,

first of all thanks for the action and the great tool.

The GH action is not failing based on the severityThreshold. For example:

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: kubescape/github-action@main
      continue-on-error: true
      with:
        format: sarif
        outputFile: results
        files: "kubernetes/**.yaml"
        severityThreshold: low

I am setting up the tool and there are multiple high severity issues in my project. The according log output is:

kubescape scan   kubernetes/**.yaml   --severity-threshold low --format sarif --format-version v2 --output results 
{"level":"info","ts":"2023-04-07T05:59:30Z","msg":"Kubescape scanner starting"}
{"level":"warn","ts":"2023-04-07T05:59:31Z","msg":"current version 'v2.0.183' is not updated to the latest release: 'v2.2.6'"}
{"level":"info","ts":"2023-04-07T05:59:35Z","msg":"Downloading/Loading policy definitions"}
{"level":"info","ts":"2023-04-07T05:59:35Z","msg":"Downloaded/Loaded policy"}
{"level":"info","ts":"2023-04-07T05:59:35Z","msg":"Accessing local objects"}
{"level":"warn","ts":"2023-04-07T05:59:35Z","msg":"git scan skipped","error":"failed to get commit information for file: kubernetes/base/deployment.yaml"}
{"level":"info","ts":"2023-04-07T05:59:35Z","msg":"Done accessing local objects"}
{"level":"info","ts":"2023-04-07T05:59:35Z","msg":"Scanning GitLocal"}
{"level":"info","ts":"2023-04-07T05:59:36Z","msg":"Done scanning GitLocal"}

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Controls: 36 (Failed: 16, Excluded: 0, Skipped: 0)
Failed Resources by Severity: Critical — 0, High — 8, Medium — 19, Low — 6

+----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
| SEVERITY |                                        CONTROL NAME                                        | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE |
+----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
| High     | Resources memory limit and request                                                         |        2         |         0          |       2       |     100%     |
| High     | Resource limits                                                                            |        2         |         0          |       2       |     100%     |
| High     | Resources CPU limit and request                                                            |        2         |         0          |       2       |     100%     |
| High     | CIS-5.7.3 Apply Security Context to Your Pods and Containers                               |        2         |         0          |       2       |     100%     |
| Medium   | Non-root containers                                                                        |        2         |         0          |       2       |     100%     |
+----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
|          |                                      RESOURCE SUMMARY                                      |        3         |         0          |       3       |    45.03%    |
+----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
FRAMEWORKS: ArmoBest (risk: 42.72), cis-v1.23-t1.0.1 (risk: 66.67), cis-eks-t1.2.0 (risk: 65.38), NSA (risk: 40.51), MITRE (risk: 0.00), DevOpsBest (risk: 51.22), AllControls (risk: 39.24)

{"level":"info","ts":"2023-04-07T05:59:37Z","msg":"Scan results saved","filename":"results.sarif"}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan results have not been submitted: run kubescape with the '--account' flag
For more details: https://hub.armosec.io/docs/installing-kubescape?utm_campaign=Submit&utm_medium=CLI&utm_source=GitHub
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run with '--verbose'/'-v' flag for detailed resources view

{"level":"fatal","ts":"2023-04-07T05:59:37Z","msg":"result exceeds severity threshold","set severity threshold":"low"}

As you can see from the logs the threshold is passed to kubescape and the last line confirms result exceeds severity threshold. However, the action is not failing.

Path does not exist: results.sarif - When using the GH Action it seems the results.sarif file isn't being created

When using the GH Action it seems the results.sarif file isn't being created. When using this action

name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
  kubescape:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v3
      - uses: kubescape/github-action@main
        continue-on-error: true
        with:
          format: sarif
          outputFile: results.sarif
      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Note: I had to update github/codeql-action/upload-sarif@v3 to v3 due to deprecation in 2024. I was able to successfully scan my repo

kubescape scan https://github.com/mrpbennett/homelab.git

My current cluster is a simple HA K3s cluster

➜ kubescape scan https://github.com/mrpbennett/homelab.git
 ✅  Initialized scanner
 ✅  Loaded policies
 ✅  Loaded exceptions
 ✅  Loaded account configurations
 ℹ️   cloning. repository url: <repo>
 ✅  Done accessing local objects
Control: C-0260 100% |██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (33/33, 162 it/s)
 ✅  Done scanning Repo
 ✅  Done aggregating results


Kubescape security posture overview for cluster: k3s-test

In this overview, Kubescape shows you a summary of your cluster security posture, including the number of users who can perform administrative actions. For each result greater than 0, you should evaluate its need, and then define an exception to allow it. This baseline can be used to detect drift in future.

Workload
┌─────────────────────┬───────────┬─────────────────────────────────────┐
│ Control name        │ Resources │ View details                        │
├─────────────────────┼───────────┼─────────────────────────────────────┤
│ Non-root containers │     3     │ $ kubescape scan control C-0013  -v │
└─────────────────────┴───────────┴─────────────────────────────────────┘

Network
┌────────────────────────┬───────────┬─────────────────────────────────────┐
│ Control name           │ Resources │ View details                        │
├────────────────────────┼───────────┼─────────────────────────────────────┤
│ Missing network policy │     3     │ $ kubescape scan control C-0260  -v │
└────────────────────────┴───────────┴─────────────────────────────────────┘


Highest-stake workloads
───────────────────────

High-stakes workloads are defined as those which Kubescape estimates would have the highest impact if they were to be exploited.

1. name: my-app-deployment, kind: Deployment
   $ kubescape scan workload Deployment/my-app-deployment --file-path=/boilerplates/kubernetes/deployment.yaml
2. name: my-cronjob, kind: CronJob
   $ kubescape scan workload CronJob/my-cronjob --file-path=/boilerplates/kubernetes/cronjob.yaml
3. namespace: default, name: homepage, kind: Deployment
   $ kubescape scan workload Deployment/homepage --namespace default --file-path=/kube-manifests-test/staging/homepage-dashboard/homepage.yml

I asked ChatGPT on how to solve the issue, it suggested I used:

 - name: List files in directory
        run: ls -l

In my action, this did point out that the results.sarif was not being created.

[Documentation] Update action references to kubescape/github-action

Update all action references in the README.md to kubescape/github-action@main

Remove root user in the action's Dockerfile

The action is currently running as a root user. This is not ideal due to security implications.

The user should not be a root user.

P.S.: Thoroughly test the action before making a PR.

Readme `Input` section does not have `format` option

As the title. The Inputs section of readme does not have the format option listed.

I was curious if values are possible for format other than sarif, idk like sbom etc.