From 37eda3b684c3b0e0bdc0de65ac7792aef67a8c8e Mon Sep 17 00:00:00 2001 From: emmanuelknafo <48259636+emmanuelknafo@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:34:49 -0500 Subject: [PATCH 01/10] DevOps Shield - DevSecOps Automation - Create devopsshield-sast-kubesec.yml --- .../workflows/devopsshield-sast-kubesec.yml | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/devopsshield-sast-kubesec.yml diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml new file mode 100644 index 0000000..db7f137 --- /dev/null +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -0,0 +1,69 @@ +# Last applied at: Wed, 12 Feb 2025 13:34:49 GMT +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. +# https://devopsshield.com +############################################################## +# This is a DevOps Shield - Application Security - Code Security Template. + +# This workflow template uses actions that are not certified by DevOps Shield. +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. + +# Use this workflow template for integrating code security into your pipelines and workflows. + +# DevOps Shield Workflow Template Details: +# ------------------------------------------------------------ +# Code: GH_SAST_KUBESEC +# Name: Kubesec Scanner +# DevSecOpsControls: SAST +# Provider: ControlPlane +# Categories: Code Scanning, Kubernetes +# Description: +# Security risk analysis for Kubernetes resources. +# Kubesec is an open-source static analysis and security scanner tool for Kubernetes. +# It scans manifest configurations and validates them against predefined security criteria. +# Kubesec can find misconfigurations in pods or deployments. +# Read the official documentation to find out more. +# For more information: +# https://kubesec.io/ +# https://github.com/controlplaneio/kubesec +# ------------------------------------------------------------ +# Source repository: https://github.com/controlplaneio/kubesec-action +############################################################## + +name: Kubesec Scanner + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: 0 0 * * 0 + +jobs: + kubesec-scan: + name: Kubesec Scan + + runs-on: ubuntu-latest + + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 #v0.0.2 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: kubesec-results.sarif From 0eb497bb82cd4c55bfda0d6f1752d10a9c4fafc2 Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 08:38:29 -0500 Subject: [PATCH 02/10] added manifest path --- .../workflows/devopsshield-sast-kubesec.yml | 53 ++++++++++--------- 1 file changed, 28 insertions(+), 25 deletions(-) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index db7f137..baa12a2 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -2,9 +2,9 @@ # DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. # https://devopsshield.com ############################################################## -# This is a DevOps Shield - Application Security - Code Security Template. +# This is a DevOps Shield - Application Security - Code Security Template. -# This workflow template uses actions that are not certified by DevOps Shield. +# This workflow template uses actions that are not certified by DevOps Shield. # They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. # Use this workflow template for integrating code security into your pipelines and workflows. @@ -16,15 +16,15 @@ # DevSecOpsControls: SAST # Provider: ControlPlane # Categories: Code Scanning, Kubernetes -# Description: +# Description: # Security risk analysis for Kubernetes resources. -# Kubesec is an open-source static analysis and security scanner tool for Kubernetes. -# It scans manifest configurations and validates them against predefined security criteria. +# Kubesec is an open-source static analysis and security scanner tool for Kubernetes. +# It scans manifest configurations and validates them against predefined security criteria. # Kubesec can find misconfigurations in pods or deployments. -# Read the official documentation to find out more. -# For more information: +# Read the official documentation to find out more. +# For more information: # https://kubesec.io/ -# https://github.com/controlplaneio/kubesec +# https://github.com/controlplaneio/kubesec # ------------------------------------------------------------ # Source repository: https://github.com/controlplaneio/kubesec-action ############################################################## @@ -33,12 +33,15 @@ name: Kubesec Scanner on: push: - branches: [ master ] + branches: [master] pull_request: - branches: [ master ] + branches: [master] schedule: - cron: 0 0 * * 0 +env: + manifest_path: "manifests/insecure-pod.yaml" # specify configuration file to scan here + jobs: kubesec-scan: name: Kubesec Scan @@ -50,20 +53,20 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - steps: - - name: Checkout code - uses: actions/checkout@v4 + steps: + - name: Checkout code + uses: actions/checkout@v4 - - name: Run kubesec scanner - uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 #v0.0.2 - with: - input: file.yaml # specify configuration file to scan here - format: template - template: template/sarif.tpl - output: kubesec-results.sarif - exit-code: "0" + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 #v0.0.2 + with: + input: ${{ env.manifest_path }} + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" - - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: kubesec-results.sarif + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: kubesec-results.sarif From cd5bac1d7c997d8a5b3f3f9fd026f0944081723d Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 08:43:53 -0500 Subject: [PATCH 03/10] fixed getting sarif template --- .github/workflows/devopsshield-sast-kubesec.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index baa12a2..4374e37 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -56,7 +56,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - + - name: Get sarif.tpl + run: wget https://raw.githubusercontent.com/bsanchezmir/kubesec-action/main/sarif.tpl - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 #v0.0.2 with: From 79b82fbad3d54073db8df115873f6b59e92cfcc2 Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 08:53:22 -0500 Subject: [PATCH 04/10] also just upload artifact --- .github/workflows/devopsshield-sast-kubesec.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index 4374e37..f2422ef 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -66,7 +66,12 @@ jobs: template: template/sarif.tpl output: kubesec-results.sarif exit-code: "0" - + # upload artifact + - name: Upload Kubesec scan results as an artifact + uses: actions/upload-artifact@v2 + with: + name: kubesec-results + # upload artifact to GitHub Security tab - name: Upload Kubesec scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: From 55aa6431965ac72ffc4e828acb480523cfb731d6 Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 08:55:05 -0500 Subject: [PATCH 05/10] use v4 --- .github/workflows/devopsshield-sast-kubesec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index f2422ef..d883ef6 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -68,7 +68,7 @@ jobs: exit-code: "0" # upload artifact - name: Upload Kubesec scan results as an artifact - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: kubesec-results # upload artifact to GitHub Security tab From e82f1fceda39e98dab77ab92bfc8bf7c71a6a897 Mon Sep 17 00:00:00 2001 From: emmanuelknafo <48259636+emmanuelknafo@users.noreply.github.com> Date: Wed, 12 Feb 2025 09:06:54 -0500 Subject: [PATCH 06/10] Update devopsshield-sast-kubesec.yml --- .github/workflows/devopsshield-sast-kubesec.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index d883ef6..3e2d716 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -71,6 +71,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: kubesec-results + path: kubesec-results.sarif # upload artifact to GitHub Security tab - name: Upload Kubesec scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 2fc9f3ec18346154f5eb1da91998db0e2e3d6b47 Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 09:11:47 -0500 Subject: [PATCH 07/10] added actual manifest file --- manifests/insecure-pod.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 manifests/insecure-pod.yaml diff --git a/manifests/insecure-pod.yaml b/manifests/insecure-pod.yaml new file mode 100644 index 0000000..bdbe871 --- /dev/null +++ b/manifests/insecure-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: insecure-pod +spec: + containers: + - name: insecure-container + image: nginx:latest + securityContext: + privileged: true + runAsUser: 0 + allowPrivilegeEscalation: true + capabilities: + add: ["ALL"] From 3af961e7ba87bdf8bcc42d08716562c63ef242ea Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 09:40:14 -0500 Subject: [PATCH 08/10] avoiding action --- .../workflows/devopsshield-sast-kubesec.yml | 49 ++++++++++++++----- 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index 3e2d716..558b855 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -41,6 +41,8 @@ on: env: manifest_path: "manifests/insecure-pod.yaml" # specify configuration file to scan here + report_file: "kubesec-results" + artifact_name: "kubesec-artifacts" jobs: kubesec-scan: @@ -56,22 +58,45 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - - name: Get sarif.tpl + + - name: Download SARIF template run: wget https://raw.githubusercontent.com/bsanchezmir/kubesec-action/main/sarif.tpl - - name: Run kubesec scanner - uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 #v0.0.2 - with: - input: ${{ env.manifest_path }} - format: template - template: template/sarif.tpl - output: kubesec-results.sarif - exit-code: "0" - # upload artifact + + - name: Install Kubesec + run: | + echo "installing kubesec" + curl -LO https://github.com/controlplaneio/kubesec/releases/latest/download/kubesec_linux_amd64.tar.gz + tar xzvf kubesec_linux_amd64.tar.gz + ls -la + chmod +x kubesec + sudo mv kubesec /usr/local/bin/kubesec + + - name: Scan Kubernetes Manifests with Kubesec + run: | + echo "kubesec version" + kubesec version + kubesec scan ${{ env.manifest_path }} > ${{ github.workspace }}/${{ env.report_file }}.json + cat ${{ github.workspace }}/${{ env.report_file }}.json + + - name: Convert Kubesec scan results to SARIF format + run: | + echo "Converting Kubesec scan results to SARIF format" + kubesec version + echo "using template" + cat sarif.tpl + echo "running kubesec scan" + fileOutput=${{ github.workspace }}/${{ env.report_file }}.sarif + echo "fileOutput: $fileOutput" + kubesec scan ${{ env.manifest_path }} --format template --template sarif.tpl > $fileOutput + ls -la + cat $fileOutput + - name: Upload Kubesec scan results as an artifact uses: actions/upload-artifact@v4 with: - name: kubesec-results - path: kubesec-results.sarif + name: ${{ env.artifact_name }} + path: ${{ github.workspace }}/${{ env.report_file }}.sarif + # upload artifact to GitHub Security tab - name: Upload Kubesec scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 111f07b50ce40b0ac00c3e2a7968ff6c6a3fec89 Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 09:46:59 -0500 Subject: [PATCH 09/10] specify exit code --- .github/workflows/devopsshield-sast-kubesec.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index 558b855..4137567 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -43,6 +43,7 @@ env: manifest_path: "manifests/insecure-pod.yaml" # specify configuration file to scan here report_file: "kubesec-results" artifact_name: "kubesec-artifacts" + exit_code: "0" # specify exit code for failed scan (i.e. issues found) jobs: kubesec-scan: @@ -87,7 +88,7 @@ jobs: echo "running kubesec scan" fileOutput=${{ github.workspace }}/${{ env.report_file }}.sarif echo "fileOutput: $fileOutput" - kubesec scan ${{ env.manifest_path }} --format template --template sarif.tpl > $fileOutput + kubesec scan --exit-code ${{ env.exit_code }} ${{ env.manifest_path }} --format template --template sarif.tpl > $fileOutput ls -la cat $fileOutput From 445853c36b008d978295a23ec020899f0c8d2d9a Mon Sep 17 00:00:00 2001 From: Emmanuel K Date: Wed, 12 Feb 2025 09:49:21 -0500 Subject: [PATCH 10/10] exit code is at 2 places --- .github/workflows/devopsshield-sast-kubesec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devopsshield-sast-kubesec.yml b/.github/workflows/devopsshield-sast-kubesec.yml index 4137567..26108f1 100644 --- a/.github/workflows/devopsshield-sast-kubesec.yml +++ b/.github/workflows/devopsshield-sast-kubesec.yml @@ -76,7 +76,7 @@ jobs: run: | echo "kubesec version" kubesec version - kubesec scan ${{ env.manifest_path }} > ${{ github.workspace }}/${{ env.report_file }}.json + kubesec scan --exit-code ${{ env.exit_code }} ${{ env.manifest_path }} > ${{ github.workspace }}/${{ env.report_file }}.json cat ${{ github.workspace }}/${{ env.report_file }}.json - name: Convert Kubesec scan results to SARIF format